Edukacija Ceska PDF

WLN2018
WiNG TECHNICAL TRAINING
– This presentation is intended to be used

during the instructor-led course and as a
aid to review content covered during class.
– It is not intended as a self-study guide
– The information contained herein is
intellectual property of Zebra Technologies
Knowledge Center, and should not be
distributed beyond those attending the
course in person
3.3.2-057B, 2015-06
COURSE OBJECTIVES
After completing this course, you should be able to:
 Explain all key WING5 characteristics without using the documentation
 Explain how all core WiNG5 features work using the student guide
 Deploy all standard configurations covered in course using documentation
 90%+ of what is typically encountered in the field
 Configure other WiNG5 features using WiNG HOW-TOs
 Describe advanced WiNG5 features using the study guide
 Explain, follow and deploy WING5 best practices and reference designs
 Explain the key WLAN design challenges and caveats
 Troubleshoot any configuration you have built using available aids
What are your experiences?

• Name, company
• Experience with WiNG4/5 and WLANs in general
• Your expectations / goals for this session?
Do you find these objectives useful? How will they help

you in your work? Anything you would add?
3
BOOTCAMP PLAN
What we will do
Introduction WLANs and key features

– Portfolio recap, licensing – PSK, 802.1X WLANs
– WiNG5 key concepts – Captive portals
– Efficient CLI/GUI use – WLAN optimization features
– Initial configuration – Mesh
WiNG5 architecture in-depth Features & services

– MiNT, adoption, clustering, – Security, WAN
tunneling – Efficient operations and
– Reference designs and best administration
practices – WiNG troubleshooting
– Common issues and
troubleshooting 30+ labs, exercises and other
activities
Scope: This course addresses the WiNG 5.8 and later
General logic is applicable to previous 5.x releases, but not all features may be
available. WiNG Express is not in scope
4
PREREQUISITES
Learning Portal: http://learning.zebra.com
Essential Wired and Wireless Knowledge:

– Wired: IP Stack (IP/TCP/UDP/ARP), Ethernet bridging (802.3, 802.1q,
STP), Routing/NAT, DHCP/DNS/other service protocols, L2/L3 QoS
– Wireless: RF theory, 802.11 protocol
– Security: WLAN authentication and encryption mechanisms, 802.1X and
RADIUS (EAP/PEAP/TLS/etc, configuring EAP authentication on client
devices), Stateful Firewall and ACLs
Our current WLAN portfolio
Recommended:
– WLAN Technical Associate Certification (xWWTA0001)
– WiNG4 or other enterprise wireless vendor experience
5
HOUSEKEEPING
Important to know
Schedule, Phones, Facilities

Questions and Feedback – anytime
Not all slides will be covered, some are left for reference. Even whole modules.
Labs
– Lab Kits, 2.4GHz only clients
– Read ahead, labs have traps. Read next item as well for hints/clues
– Save configs after every lab
This is not school:

– Interactive discussion, not lecture
– As long as you get a valid answer, it counts
– We’re here to fail, so we don’t fail in front of the customer
– The more you ask / share – the more you get
Very Important note:

Ready to proceed?
Have fun!
6
PART 1: WING
ESSENTIALS
WiNG5 Introduction
Key Concepts
Initial Configuration
Labs
WiNG Architecture
Labs and Exercises
Wrap up
7
WING5
INTRODUCTION
What is WiNG5?
8
WING5 INTRODUCTION
Module Intro
Here’s what you’ll learn:

 Explain three key Enterprise WLAN challenges that led to development of
WiNG5
 Explain how those challenges affected the architectural properties of WiNG5
 Describe at least 4 key benefits instantly enabled by the new architecture
 List currently supported AP, Controller and Switch models/families and explain
their positioning using the information provided in the guide
 Interpret AP model numbers
 List 6 typical WING5 designs and explain how they seamlessly grow into each
other
Plan:
 Discuss the topics
 Check your knowledge by answering recap questions

How do you think it might help you in this training and later when
working with WiNG5?
9
WING5 INTRODUCTION
WLAN Architecture Evolution
INDEPENDENT HUB AND SPOKE WiNG5

STANDALONE CENTRALIZED DISTRIBUTED
FIRST WIRELESS LANS COST EFFICIENT 802.11a/b/g BETTER QUALITY OF EXPERIENCE

WLAN
MOBILE DATA ACCESS MORE ROBUST, AFFORDABLE WAY
FILLED NEED FOR LARGER TO HANDLE HIGHER NETWORK
NETWORK OF SCALE AFFORDABLE DEMAND
CONVENIENCE
NETWORKS
LIMITED 11n SCALABILITY NO BOTTLENECKS

LIMITED MOBILITY
BOTTLENECK AT WIRELESS SCALABLE 802.11n/ac
DIFFICULT TO MANAGE CONTROLLER VoIP AND VIDEO RELIABILITY
LIMITED SECURITY LIMITED SECURITY/QoS SECURITY AT THE EDGE
AT THE EDGE
10
WING5 KEY HIGHLIGHTS
Simplified Deployments
WLAN Controller
DSL
WAN
1 Indoor Mesh
3
2
RFS4000
T1 or 3G
1. Works with existing VLANs, no need to redesign the network
2. Optimal packet forwarding over Layer 2, Layer 3 or Mesh links
3. Fast site-to-site direct links
11
Security at the edge of the network
Security at the AP edge

– Stateful, roaming-aware, multi-layer firewall in APs allows full inspection without
performance loss
– Role-based firewall for added flexibility
Wireless-Wireless protection
– Protect wireless clients from other wireless clients. Drop traffic on wireless
interface w/o clogging LAN/WAN
Fast Roaming
12
Superior Reliability
SMART RF
– Automatic real-time RF Management
– Power and channel selection
– Interference mitigation
– Neighbour recovery
– Wireless Client Coverage Hole
Recovery
– Supports multiple sites
Site Survivability and Distributed

Services
– Site-Survivable APs can work w/o the
controller while still offering all the
services (RADIUS, Firewall, DHCP,
roaming, etc)
– On remote sites one of the APs will
be elected to provide centralized
functions such as SMART RF, etc for
other APs on site
– Do not confuse with AP Virtual
Controller
13
Massive Scalability
Harness the processing power of the Access Points: vastly improved scalability
10X improvement for small packets – benefits VOIP performance
– Redesigned network stack increases performance for small frames
Fast roaming
Controller is no longer a bottleneck
– 1000s of sites with a single controller
14
WING5 CONTROLLERS
Overview and evolution
Small/Branch Medium Campus / DC Large DC / Private Cloud
NX9xxx  NX96xx
Services
Services
Adoption Capacity = 10,240
NX 9000, NX 95xx
Features & Applications
NX 9600
Services Adoption Capacity = 2048
Services
NX 7500
VX 9000
Adoption Capacity = 264 Virtualized
NX 6500 / 6524
Controller
Adoption Capacity = 144
NX 4500 / 4524
End of Sale or
Pending End of Sale

Adoption Capacity = 144 RFS 6000 RFS 7000
RFS 4010
Capacity & Performance
15
WING5 AP PORTFOLIO
Supported and on sale
Requires Controller Standalone, Virtual Controller or Controller-Managed

Outdoor
AP 6562 AP 7161 AP 7181 AP 8163

802.11n 2x2:2 802.11n 3x3:2 802.11n 3x3:2 802.11n 3x3:3
TW-511 (T5) TW-522 (T5) AP 7502 AP 7522 AP 7532 AP 8232

802.11n 2x2:2 802.11ac 2x2:2 802.11ac+n 2x2:2 802.11ac 2x2:2 802.11ac 3x3:3 802.11ac 3x3:3
Indoor
AP 622 AP 650 AP 7131 AP 8122 AP 8222 AP 8132

802.11n 2x2:2 802.11n 2x3:2 802.11n 3x3:2 802.11n 3x3:3 802.11ac 3x3:3 802.11n 3x3:3
AP 300 AP 621 AP 6511 AP 6521 AP 6522 AP 6532

802.11a/b/g 1x1:1 802.11n 2x2:2 802.11n 2x2:2 802.11n 2x2:2 802.11n 2x2:2 802.11n 2x3:2
Dependent Access Points Independent Access Points
16
WING5 AP PORTFOLIO
What you should focus on
Requires Controller Standalone, Virtual Controller or Controller-Managed

Outdoor
AP 6562 AP 7562 AP 8163

802.11n 2x2:2 802.11ac 3x3:3 802.11n 3x3:3
TW-511 (T5) TW-522 (T5) AP 7502 AP 7522 AP 7532

802.11n 2x2:2 802.11ac 2x2:2 802.11ac+n 2x2:2 802.11ac 2x2:2 802.11ac 3x3:3
Indoor
AP 8122 AP 8132
802.11n 3x3:3 802.11n 3x3:3
AP 6511 AP 6521 AP 6522

802.11n 2x2:2 802.11n 2x2:2 802.11n 2x2:2
Dependent Access Points Independent Access Points
17
LAN SWITCHES
EX3500 Series
EX-3524
24-48 GE Ports 4* 1G SFP

PoE/PoE+ capable – up to 30W Uplink
EX-3548
24 port : 370W
Power Budget
48 port : 740W
21
T5 PBN SOLUTION
Private Broadband Networking
Imagine PoETS-524 SWITCH

over telephone wire…
CORE NETWORK
TW-511 802.11A/B/G/N
WALLPLATE
• 2 x FE ports
450M TELEPHONE WIRE • 1x 11abgn radio
POTS + POWER + BROADBAND

TW-510 ETHERNET
WALL SWITCH
600M TELEPHONE WIRE • 2 x FE ports
PBX PHONE
BLOCK
125 x 92 x 29mm
(5 x 3.6 x 1.1”)
22
T5 PBN SOLUTION
Why/when do you need it?
Hotel/office block with lots of rooms
– Telephony already present, but no CAT5
How much will adding typical Wi-Fi cost?

– Cabling + work + décor >= __% of budget?
– Will APs in corridors provide good coverage?
Why not place APs where the user is?

– In the guest room
– Normally placed in every 4-6th room
– Powerful ___ MIMO radio and antennas
Why pay for extra cabling, electrical and installation

work?
– Data and _____ over the _____ cable
– Easily installed on top of phone wall socket
Why worry that someone steals/unplugs?

– Discreet, compact
Managed with WiNG

What other AP models can be used?
– ______________________
23
WiNG5 licenses
License Type RFS Series NX Series VX Series

AAP Licenses 0 – 1024 0 - 10240
Any AP except AP300 Shared in cluster Shared in cluster
Advanced Security
On/Off Individual
Role Based firewall
Preinstalled on RFS4000 and NX4500
VPN Tunnel upscale
Web Filtering
64-1024 APs max
Advanced HTTP application-
Shared in cluster
layer firewall
Requires NX75+ or VX
(per year subscription)
Virtual Appliance Platform Required for
production
nSight Equal to number of APs
Shared in cluster
AP/AAP Licenses
– Bought in packs
– Can be shared in cluster and hierarchy
– AAP License supports any AP except AP300
– AP Licenses were required only for AP300s (AP300 no longer supported)
24
Variety of Architectures
Single Site
Standalone: Tiny sites with 1-2 AP’s; no need for centralized configuration
1
Virtual Controller: Small sites with 2-24/64 AP’s; centralized management within site
2
On-Site Controller: Sites with >24 AP’s; campus deployments; distributed forwarding –
3 centralized management
Standalone Virtual Controller On-Site Controller
25
Variety of Architectures
Essentially, variations of the same architecture

Multi-Site
Centralized/Hierarchical = ONEVIEW
Teleworkers: multiple 1-cell sites, auto VPN tunnel to DC / cloud

4
Controller in the DC: Sites with <=128 AP’s; no onsite controller, real-time operations
5 localized within site = efficient use of WAN, site survivability
Hierarchical: Multiple sites with >128 AP’s; site controllers managed from DC controller;
6 efficient use of WAN, site survivability
NX/VX NX/VX NX/VX
Centralized Centralized Centralized

Teleworkers No onsite controller Onsite controller
26
Distributed Hierarchical Enterprise Infrastructure
MICRO BRANCH
Holistic network w/o

onsite controller, incl
mesh
MEDIUM BRANCH
HQ / DC
Managed RFS
Cluster
SMALL BRANCH
NX/VX DC Cluster
Integrated Management,
Security, Assurance, etc
Managed NX Controller
with extra services
MICRO /TELECOMMUTERS
AP with Auto VPN connection
27
WING5 INTRODUCTION
Module Recap
Check your learning, can you perform the following?

 Explain three key Enterprise WLAN challenges that led to development of
WiNG5?
 Explain how those challenges affected the architectural properties of
WiNG5?
 Describe at least 4 key benefits instantly enabled by the new architecture?
 List currently supported AP, Controller and Switch models/families and
explain their positioning using the information provided in the guide?
 Interpret AP model numbers?
 List 6 typical WING5 designs and explain how they seamlessly grow into
each other?
How you think it might help you in this training and later when working with
WiNG5?
Any final questions before we move on?
28
KEY CONCEPTS
How is WiNG5 set up?
29
WING5 CONFIGURATION MODEL
Module Intro

 Explain the key WiNG5 configuration model concepts such as RF Domain,
Profile, Device overrides, WLAN, Policy without using documentation
 Correctly explain how the final device configuration is built from those
components
 Efficiently use the above components in your configuration management tasks,
based on the use cases provided
 Explain what Base MAC Address is and why it is important
Plan:
 Discuss the topics
Anyone tried setting WiNG5 up w/o any study/research?

 Can you compare it to WiNG3/4?
How do you think it might help you in this training and later
when working with WiNG5?
30
KEY CONCEPTS
Configuration Model Overview
Hierarchical configuration model

– Centralized Management RF Domains 

default
site1
 user-defined

–
site2
Distributed Operation  siteXX
 lab
– Manage large number of devices
Profiles  default-vx9000  user-defined
– Share common configuration between 

default-nx7500
default-ap7532
devices 

default-ap7521
default-ap8163
– Minimize the amount of config objects Devices  VX9000-1
– HQ manages sites 

VX9000-2
AP7532-1
 AP7532-2
 …
WLANs  
Master Configuration File 
corp
guest-hq 
..
..
 TEST  ..
– Replaces traditional flat config  storeWLAN  ..
 staging  WLAN 256
– Contains configuration for the whole Policies  AAA  ISAKMP
WiNG5 network  Adoption  Management
 Advanced WIPS  NAT
– Resides on Controller(s) 

Association ACL
Captive Portal


Radio QoS
RADIUS Server
– Relevant portions applied to managed 


Categorization
Device Discover


Role
Smart-RF
 
devices 
DHCP
Firewall 
VPN
WIPS
 IGMP Snoop  WLAN QoS
– Synchronized across cluster and ... ...
hierarchy
Master Configuration File
31
KEY CONCEPTS
Device Final Configuration
Final device configuration:

– Settings inherited from an RF Domain
• Typically, regional and regulatory
– Settings inherited from Profile
RF Domain
+ Profile
• Typically, common policies and parameters across a

group of devices: ports, VLANs, IP
– Settings assigned to it explicitly as Overrides
• Unique tweaks for this device

Device
Changes made to RF Domain or Profile are Overrides
automatically propagated to all assigned devices

– Allows bulk configuration changes
=
Changes made to individual devices (overrides) are
only applied to those devices
– Add/remove/change any settings inherited from Final Device
Configuration
RF Domains or Profiles
– Allows fine tuning on individual Device level
32
KEY CONCEPTS
Reference: configuration element definitions
Assigns regulatory, location and supported Policies to one or more Wireless Controllers and
RF
Domains Access Points. Each Wireless Controller and Access Point must be assigned to a default RF
Domain or user-defined RF Domain.
Assigns configuration parameters, supported Policies and WLANs to groups of Wireless

Profiles Controllers and Access Points. Profiles are device specific and each Wireless Controller and
Access Point must be assigned to a default Profile or user-defined Profile.
Policies contain groups of configuration parameters for specific features such as AAA, Captive
Policies Portal, WIPS, Firewall etc.. Policies can be assigned to Wireless Controllers or Access Points
using RF Domains, Profiles, WLANs and Devices.
Each WLAN object contains Wireless LAN specific configuration parameters such as SSID name,
WLANs VLANs, encryption and authentication as well as supported policies. WLANs can be assigned to
groups of Access Point radios using Profiles or individual radios as Overrides.
Each device may be individually assigned unique configuration parameters such as Hostnames,
Devices
static IP addresses as well as supported Policies and WLANs. Individual device configuration
combines with the configuration parameters inherited from RF Domains and Profiles to form a
final device configuration.
33
KEY CONCEPTS
Example
rf-domain mysite
NX-01 NX-02 location Somewhere under a mountain
contact admin@mycorp.com
timezone GMT
country-code us
use smart-rf-policy myRF
!
00-23-68-64-43-5A 5C-0E-8B-17-E8-F6
AP7532-01 AP7532-02 AP7532-03
5C-0E-8B-A4-48-80 5C-0E-8B-A4-4B-48 5C-0E-8B-A4-4C-3C
34
KEY CONCEPTS
Example
profile nx7500 site-nx

NX-01 NX-02 ip name-server 192.168.10.5
profile ap7532
ip domain-name site-ap
mycorp.com
...
no autoinstall configuration
interface radio1
no autoinstall firmware
... wlan CORP-DOT1X bss 1 primary
wlan me1
interface GUEST-PORTAL bss 2 primary
interface
interface up1 radio2
wlan CORP-DOT1X
description bss 1 primary
LAN-Uplink
00-23-68-64-43-5A 5C-0E-8B-17-E8-F6 interface ge1trunk
switchport mode
description
switchport trunk Uplink
native vlan 20
switchport
switchport trunkmode trunk
native tagged
switchport
switchport trunktrunk native
allowed vlanvlan 21
20,23-25
... no switchport trunk native tagged
switchport trunk site-mgmt
use management-policy allowed vlan 21-22
ip dhcp trust default
use firewall-policy
qos trust dscp
use auto-provisioning-policy site-adopt
qos trust
ntp server 802.1p
192.168.10.5 prefer
! interface vlan21
description AP Management
ip address dhcp ip dhcp client request options all
use management-policy site-mgmt
use firewall-policy site-ap-fw
AP7532-01 AP7532-02 AP7532-03 ntp server 192.168.10.5 prefer
!
5C-0E-8B-A4-48-80 5C-0E-8B-A4-4B-48 5C-0E-8B-A4-4C-3C
35
KEY CONCEPTS
Example
nx7500 00-23-68-64-43-5A
NX-01 NX-02 use profile site-nx
usenx7500 5C-0E-8B-17-E8-F6
rf-domain mysite
use profile
hostname nx-01 site-nx
use rf-domain
license AAP <string>mysite
hostname
license ADSECnx-02
<string>
license AAP <...>
ip default-gateway 192.168.20.1
licenseup1
interface ADSEC <...>
ip default-gateway
interface vlan20 192.168.20.1
00-23-68-64-43-5A 5C-0E-8B-17-E8-F6 interface SERVICES
up1
description
ip interface vlan20
address 192.168.20.22/24
description
interface vlan25Services
ip address
description 192.168.20.23/24
GUESTS
ip interface vlan25
address 192.168.25.22/24
description
cluster Guests
name site-cluster
ip address
cluster member ip192.168.25.23/24
192.168.20.23
cluster
cluster name site-cluster
master-priority 255
! cluster member ip 192.168.20.22
cluster mode standby
!
AP7532-01 AP7532-02 AP7532-03
ap7532 5C-0E-8B-A4-48-80
use profile site-ap
useap7532 5C-0E-8B-A4-4B-48
rf-domain mysite
use profile
hostname AP-01 site-ap
! useap7532 5C-0E-8B-A4-4C-3C
rf-domain mysite
5C-0E-8B-A4-48-80 5C-0E-8B-A4-4B-48 5C-0E-8B-A4-4C-3C use profile
hostname AP-02 site-ap
! use rf-domain mysite
hostname AP-03
!
36
RF DOMAINS
Introduction
Assign any site or RF-specific settings

– Typically represent Sites
– One RF Domain per Controller/AP
– Changes are automatically inherited
RF Domain = Store1 RF Domain = Store2
by all devices assigned to that RF

Domain
Can be assigned
– Manually
– Automatically (using Auto-
RF Domain = Corp
Provisioning Policies)
Otherwise, newly adopted devices are

assigned to RF Domain named default
RF Domain = Store3 RF Domain = Store4
37
RF DOMAINS
Example 1: Hassle-Free
Common Smart RF and WIPS Policy across different floors or buildings
Smart-RF
Policy
‘Corp’
RF Domain
‘Corp’
WIPS Policy
‘Corp’
38
RF DOMAINS
Example 2: Policy Re-use
Different Smart RF or WIPS Policies across different floors or buildings
Smart-RF Smart-RF
Policy Policy
‘Office’ ‘Industrial’
RF Domain RF Domain
‘Building1’ ‘Building3’
WIPS Policy WIPS Policy

‘Corp’ ‘Corp’
Smart-RF Smart-RF
Policy Policy
‘Office’ ‘Labs’
RF Domain RF Domain
‘Building2’ ‘Building4’
WIPS Policy WIPS Policy

‘Corp’ ‘Corp’
39
RF DOMAINS
Example 3: Large Scale Multi-Site
Unique Country Codes and Location Information across different sites or

countries
RF Domain = Portland
Country Code = US
Time Zone = PST
RF Domain = Toronto
Smart-RF = Factory
Country Code = CA
WIPS = Branch
Time Zone = EST
RF Domain = Chicago
Smart-RF = Office
Country Code = US
WIPS = Branch
Time Zone = CST
Smart-RF = DC
WIPS = Branch
RF Domain = LA
Country Code = US RF Domain = Atlanta
Time Zone = PST Country Code = US
Smart-RF = Office Time Zone = EST
RF Domain = Corp
WIPS = Branch Smart-RF = R&D
Country Code = US
WIPS = Branch
Time Zone = CST
Smart-RF = Office
WIPS = Corp
40
RF DOMAINS
Example 4: RF Domain Overrides
Certain parameters can be overriden on a per-RF Domain (i.e. per-site) basis:

– Ex: Custom SSIDs and VLAN IDs across different sites assigned to same WLAN object
• Same WLAN seen as different WLANs mapped to different VLANs on different sites
• Still, only 1 WLAN object to manage – reduces admin overhead
WLAN OfficeWLAN
SSID = Corp
VLAN = 1
WLAN StoreWLAN
SSID = Store01
VLAN = 4
WLAN StoreWLAN
SSID = Store65
VLAN = 2
WLAN OfficeWLAN WLAN StoreWLAN

SSID = Corp WLAN StoreWLAN SSID = Store99
VLAN = 1 SSID = Store24 VLAN = 3
VLAN = 1
 Common WLAN ID
 Common SSID  Common WLAN ID
 Common VLAN IDs  Unique SSID
 Unique VLAN IDs
41
RF DOMAINS
Elements and Config
Policies rf-domain datacenter

location New York
 Smart RF Policy timezone EST5EDT
 WIPS Policy country-code us
use smart-rf-policy Corp
!
rf-domain store001
location Nashville
timezone CST6CDT
Configuration Parameters country-code us
use smart-rf-policy store-FCC
Basic Configuration: Sensor Configuration use wips-policy WIPS-US
 Contact  Sensor Server & Port override-wlan storewlan ssid STORE001
 Country Code Overrides: !
 Control VLAN  Smart RF Channel Lists rf-domain store002
 Layout  SSID Override location Berlin
timezone GMT+1
 Location  VLAN Override
country-code de
 MAC Names
use smart-rf-policy store-ETSI
 Statistics Interval Updates
use wips-policy WIPS-EU
 Time Zone control vlan 1
override-wlan storewlan ssid STORE002
!
rf-domain default
no country-code
!
42
RF DOMAINS
Check your understanding
Are RF Domains assigned to Controller or APs?

1 _______________________________________________________________________
Can you have two RF Domains with the same name?

2 _______________________________________________________________________
How many RF Domains can be assigned to a device at the same time?

3 _______________________________________________________________________
Can you assign same RF Domain to multiple APs and Controllers?

4 _______________________________________________________________________
Which RF Domain is assigned to device if no explicit assignment is present?

5 _______________________________________________________________________
Can you assign RF Domains to Controllers and APs manually? Automatically?

6 _______________________________________________________________________
Any questions before we move on?

44
PROFILES
Introduction
Assign a common set of configuration

parameters and policies to groups of
devices
– Templates for mass management Profile = ap7131-store Profile = ap7131-store
– Available configuration parameters

depend on the hardware model
Same logic as RF Domains Profile = ap650-hq
– Default and user-defined

– Assigned manually and Profile = rfs7000-hq
automatically
– Changes are propagated/inherited
Quickly enable new features or change

existing settings for groups of devices
Profile = ap650-store Profile = ap650-store
45
PROFILES
Elements and Config
Policies profile nx7500 nx7500-default

use management-policy default
 Auto Provisioning Policy  Firewall Policy use firewall-policy default
 Captive Portal Policy  Management Policy !
 Critical Resource Policy  RADIUS Server Policy profile ap7131 ap7131-default
 DHCP Server Policy  Role Policy use management-policy default
 Event Policy  Routing Policy use firewall-policy default
!
profile rfs7000 rfs7000-corp
Configuration Parameters interface me1
interface ge1
General: Network Cont.: description UPLINK
 IP Routing  QoS switchport mode trunk
 NOC Update Interval  Spanning Tree Protocol
 NTP  Routing
switchport trunk native vlan 200
Cluster:  OSPF switchport trunk native tagged
 Mode / Name  Forwarding Database switchport trunk allowed vlan 200-204
 Priorities  Bridge VLAN interface ge2
 Members  CDP
Power:  LLDP
...
 Power Mode  Misc use firewall-policy default
 802.3af / 802.3at Configuration Security: !
Adoption:  VRRP profile ap7532 ap-store1
 Preferred Group  Critical Resources
 Timers  Services
interface radio1
 Controller Information Management: radio-band 5GHz
Wired 802.1X  Settings interface ge1
 AAA Policy  Firmware switchport access vlan 101
Interface:  Heartbeat
 Ethernet Advanced:
!
 Virtual Interfaces  Client Load Balancing profile ap7532 ap-store2
 Port Channels  MINT Protocol interface ge1
 Radios  NAS Identifier switchport access vlan 102
 WAN Backhaul  RF Domain
 PPPoE
!
Network:  Etc… profile anyap ap-stores
 ARP  Etc… interface ge1
 L2TPv3  Etc… switchport access vlan $STOREVLAN
 IGMP Snooping
46
PROFILES
Default and User-Defined
Default User
Unique per device model Unique per device model

– Only one per model – As many as needed per model
Recreated automatically Created manually
– Delete unused ones right away – Assigned manually or
Assigned by default automatically (via Auto
Provisioning Policy)
– Unless an Auto Provisioning
Policy says otherwise Use them!
Best practice: do not edit Default
Profiles
AnyAP Profile
• Supported in WiNG Enterprise 5.8+
• “One size fits all” some device-specific features may not be available
• Before calling tech support – validate with “proper” device-specific profile
47
PROFILES
Automatic Provisioning Policies
Automatically assign user-defined RF Domains and Profiles

Match Condition Description
Any Match ANY device
Host MAC / Range Match devices using host MAC address/range
Model / Serial Number Match devices using model number / serial number
VLAN Match devices using VLAN number (L2 communications)
Host IP / Subnet Match devices using hosts IP address/subnet (L3 communications)
FQDN Match the value of FQDN
DNS-SUFFIX Match the value of DNS Suffix (FQDN w/o the hostname)
DHCP Option Match the value of a DHCP option
CDP / LLDP Match devices using location based on CDP / LLDP snooping
Assigns only to new (previously unknown) devices by default

May assign just Profile or just RF Domain
– Search will continue until the rule with the 2nd element is found
Supports wildcards to make it simpler and scalable
Can also be used to deny adoption!
48
48
PROFILES
Can you assign AP7532 profile to AP8132? RFS profile to NX?

1 _______________________________________________________________________
Can you assign more than one Profile to device? Same profile to multiple devices?
2 _______________________________________________________________________
Which profile is assigned to APs/Controllers when no explicit assignment is available?

3 _______________________________________________________________________
How many default profiles per device model?

4 _______________________________________________________________________
Can you assign user-defined Profiles manually?

5 _______________________________________________________________________
Automatically? Using what?

6 _______________________________________________________________________
What should be unique for each profile?

7 _______________________________________________________________________

49
DEVICES AND OVERRIDES
Introduction
For each “known” device there will be a section
in the Master Config file
Configuration RF
Policies
Parameters Domain
Each Device section is identified by a model

and Base MAC Address:
– Example: nx7500 00-15-70-81-7B-0D
– Example: ap7532 00-15-70-C7-8F-F0 Configuration
Parameters
Profile Policies
Each Device section includes

– RF Domain and Profile assignments
– Optional individual configuration Overrides
• These will override the parameters inherited Configuration
Parameters
Device Policies
from RF Domains and Profiles
• May add/remove/change settings/policies
Final configuration is determined by Final

– Inherited (RF Domains and Profiles) Config
configuration along with

– Individual device override lines in the
device section
50
Elements and Config
Policies nx7500 00-15-70-81-7B-0D

use profile corp-dc
 Auto Provisioning Policy  Firewall Policy use rf-domain Corp
 Captive Portal Policy  Management Policy hostname nx01
 Critical Resource Policy  RADIUS Server Policy ip route 0.0.0.0/0 172.16.200.1
 DHCP Server Policy  Role Policy interface ge1
 Event Policy  Routing Policy switchport mode trunk
Configuration Parameters switchport trunk allowed vlan 200-204
interface vlan200
Basic Configuration: Override – General: Override - Network: ip address 172.16.200.10/24
 Hostname  IP Routing  ARP !
 Area / Floor  NOC Update Interval  L2TPv3 ap7532 00-15-70-C7-2A-A2
 RF Domain  NTP  IGMP Snooping use profile corp-ap
 Profile Override – Cluster:  QoS use rf-domain Corp
 Clock  Mode / Name  Spanning Tree hostname ap-hq-01
Basic Configuration:  Priorities Protocol !
 IP Routing  Members  Routing ap7532 00-15-70-C7-A7-20
 NOC Update Interval Override Power:  OSPF use profile corp-ap
 NTP  Power Mode  Forwarding Database use rf-domain Corp
Licenses:  802.3af / 802.3at  Bridge VLAN hostname ap-hq-02
 Manage Licenses Configuration  CDP !
Certificates: Override - Adoption:  LLDP ap7532 00-15-70-C7-D5-30
 Certificate Mgmt.  Preferred Group  Misc use profile corp-ap
 Trustpoints  Timers Override - Security: use rf-domain Corp
RF Domain Overrides:  Controller Information  VRRP hostname ap-hq-03
 Sensor Configuration Override – Wired 802.1X  Critical Resources !
 WLAN overrides  AAA Policy  Services ap7532 00-15-70-C7-F2-A8
Wired 802.1X Override - Interface: Override - Management: use profile store-ap
 AAA Policy  Ethernet  Settings use rf-domain Store1
 Virtual Interfaces  Firmware hostname ap-s1-01
 Port Channels  Heartbeat !
 Radios Override - Advanced: ap7532 00-15-70-C7-70-4F
 WAN Backhaul  Client Load Balancing use profile store-ap
 PPPoE  MINT Protocol use rf-domain Store2
 NAS Identifier hostname ap-s2-05
 RF Domain
51
Example: Combining Profile and Override settings
Use Profiles for common parameters (bands, WLANs)

Use Overrides for specifics (channel, power, rates)
Both complement each other in final config
If the same parameter is assigned both in Profile and as Override, the
Override takes precedence
! ! !
profile ap8132 ap8132-default ap8132 00-15-70-C7-2A-A2 ap8132 00-15-70-C7-2A-A2
interface radio1 use profile ap8132-default use rf-domain Corp
radio-band 5GHz use rf-domain Corp hostname ap8132-1
wlan wlan1 bss 1 primary hostname ap8132-1 interface radio1
wlan wlan2 bss 2 primary interface radio1 description ap-8132-3-an
interface radio2 description ap-8132-3-an radio-band 5GHz
radio-band 2.4GHz channel 157+ channel 157+
wlan wlan1 bss 1 primary power 20 power 20
wlan wlan2 bss 2 primary data-rates an data-rates an
interface radio3 interface radio2 wlan wlan1 bss 1 primary
interface ge1 description ap-8132-3-bgn wlan wlan2 bss 2 primary
interface ge2 channel 11 interface radio2
use management-policy Corp power 6 description ap-8132-3-bgn
use firewall-policy default data-rates bgn radio-band 2.4GHz
! wlan wlan3 bss 1 primary channel 11
wlan wlan4 bss 2 primary power 6
! data-rates bgn
wlan wlan3
wlan1 bss 1 primary
AP-8132 Profile AP-8132 Device Configuration
wlan wlan4
wlan2 bss 2 primary
use management-policy Corp
use firewall-policy default
!
Final Device Configuration
WLANs assigned by the Profile for radio 2 are overridden by the WLANs
! assigned to radio 2 on the device
52
When to use overrides?
Useful for:
– Assigning static IP addresses, hostnames, licenses, certificates
– Overriding network, wireless, security or services for individual devices
Policies Profile WLANs
WLANs = Corp, Voice

VLANs = 10,20
Policies Device WLANs
WLANs = Corp, Voice, Guest

VLANs = 10,20,30
53
EVERYTHING you see in device section (<model> <MAC>) of the master config file is a
1 _______________________________________________________________________
All configuration parameters and policies assigned to an individual device will _________
2 those inherited from RF Domain and/or Profile
EVERYTHING in device section will only apply to device with the same ____ MAC
3 address.
Which parameters can (and should) only be assigned as device overrides?

4 _______________________________________________________________________
An AP has WLANs 1,2,3 assigned from the Profile and 4 assigned as an Override. How
5 many WLANs will the AP have? Which ones? __________________________________
You are replacing a faulty controller, and simply are copying old config file onto the new
6 box. What will happen? ____________________________________________________
Would you try minimizing or maximizing the number of overrides in your config?
7 _______________________________________________________________________

54
POLICIES
Introduction
Reuse same settings for specific features or services

across devices or sites, such as:
– Deploying multiple instances of RADIUS server for
RF
redundancy Domains
Policies
– Defining the same management access settings

(interfaces, user roles) for multiple devices/sites
– Configuring multiple WLANs to use same AAA Profiles Policies
servers
– Reusing ACLs
– Etc.
Devices Policies
Generally, Policies that can be assigned to Profiles

may also be assigned to Devices
– Certain Policies may only be assigned to WLANs WLANs Policies
or RF Domains
You will learn many policies in the class
55
POLICIES
How many policies of each type can be assigned per RF Domain, Profile, WLAN or
1 Device Section? _________________________________________________________
Each policy requires a unique _____ and can be assigned to (single or multiple?) RF
2 Domains, Profiles, WLANs or Devices
A Policy inherited from RF Domain, Profile or WLAN can be ____________ by a Policy of

3 the same type assigned to the Device Section
Certain policies are device-specific. Can you provide an example?

4 _______________________________________________________________________

56
WLANS
Introduction
Each WLAN is defined as a separate object

– Lots of parameters and some Policies
– Assigned to AP radios via Profiles or
Overrides
Flexible deployment model WLANs: Corp, Voice WLANs: Corp
– Quickly deploy new WLANs

– Easily edit existing WLANs
– Across individual APs or groups / sites
WLANs: Corp, Voice, Guest
Extra degree of flexibility via

– RF Domain Overrides
• Reuse same WLAN “template” across
multiple buildings or sites, with unique
customizations per RF Domain
– Device Overrides
• Fine-tune your entire setup on a per- WLANs: Corp, Voice, Guest WLANs: Corp, Guest
device basis, create exceptions for

troubleshooting and testing
57
WLANS
Elements and Config
Policies
wlan CORP-PSK
 AAA Policy ssid CORP-PSK
 Association ACL Policy vlan 22
 Captive Portal Policy bridging-mode local
 IP Access List encryption-type ccmp
 MAC Access List authentication-type none
 WLAN QoS Policy wpa-wpa2 psk 0 qwertyui
!
Configuration Parameters wlan CORP-DOT1X
ssid CORP-DOT1X
Basic Configuration: Client Settings:
 SSID  Client-to-Client Communications
vlan 23
 Description  Client Power / Idle Time bridging-mode tunnel
 Status  Max Firewall Sessions encryption-type ccmp
 QoS Policy  Max Clients / Radio authentication-type eap
 Bridging Mode  Enforce Client LB / DHCP
 Broadcast SSID  Proxy ARP Mode
use aaa-policy HQ-AAA-SERVERS
 Answer Broadcast Probes  Symbol Client Extensions !
 VLAN(s)  Credential / VLAN Cache wlan CORP-GUEST
 RADIUS Overrides Accounting: ssid CORP-GUEST
Security:  Syslog Accounting
 Authentication  Proxy Mode
vlan $GUESTVLAN
 AAA Policy  Format / Case bridging-mode tunnel
 Captive Portal  RADIUS Accounting encryption-type none
 MAC Registration Client Load Balancing: authentication-type none
 Encryption  Enforce Client LB
Firewall:  Timers
use captive-portal corp-portal
 Inbound / Outbound IP ACLs  Settings captive-portal-enforcement
 Inbound / Outbound MAC ACLs Advanced: ip-access-list in GUEST-ACL
 Association ACL  802.11w !
 Trust  RADIUS NAS
 Wireless Client Deny  Dynamic Authorization
 Firewall Session Holdtime  Radio Rates
 HTTP Analysis Auto Shutdown:
 Triggers
 Time Based Access
58
WLANS
What must be defined on the AP before it can serve WLANs? Where do you define it?
1 How do you map it to an AP? _______________________________________________
Are WLANs assigned to an AP’s ,Ports, Radios, Interfaces, VLANs, or Device in general?
2 _______________________________________________________________________
Name two config elements that can assign WLANs to the device
3 _______________________________________________________________________
WLANs assigned directly to a device radio as Overrides will override ___ WLANs
4 assigned to this radio from the Profile
Can you have the same WLAN object with different SSIDs/VLANs/PSKs? Name two
5 places where you have define those overrides __________________________________
Each WLAN definition requires a unique ______

6

59
KEY CONCEPTS
Summary and recap
RF Domains  default  user-defined

 site1
 site2

+
siteXX
 lab RF Domain Profile
Profiles  default-vx9000  user-defined

 default-nx7500
 default-ap7532
 default-ap7521
 default-ap8163
Devices 


VX9000-1
VX9000-2
AP7532-1

 AP7532-2
 …
Device
WLANs  corp  ..
Overrides
 guest-hq  ..
 TEST  ..
 storeWLAN  ..
 staging  WLAN 256
Policies 


AAA
Adoption
Advanced WIPS



ISAKMP
Management
NAT
=
 Association ACL  Radio QoS
 Captive Portal  RADIUS Server
 Categorization  Role
 Device Discover  Smart-RF
 DHCP  VPN
 Firewall  WIPS
 IGMP Snoop  WLAN QoS Final Device
... ...
Configuration
Master Configuration File
60
WING5 CONFIGURATION MODEL
Module Recap

 Explain the key WiNG5 configuration model concepts such as RF Domain,
Profile, Device, WLAN, Policy without using documentation
 Correctly explain how the final device configuration is built from those
components
 Efficiently use the above components in your configuration management
tasks, based on the use cases provided
 Explain what Base MAC Address is and why it is important
Soon you will practice this in the lab. Do you feel confident?
Can you explain why those UI and config model sections are there?
Any final questions before we move on?
61
INITIAL
CONFIGURATION
How do I make it work?
62
INITIAL CONFIGURATION
Module Intro

 Fully explain and perform the process of initial device setup
 Explain admin user roles using the guide provided
 Configure management access settings for a WiNG5 device via Management
Policy
 Configure device ports, physical/IP/VLAN interfaces using the lab guide
 Configure DHCP server via DHCP Server Policy
 Successfully perform all other relevant lab activities using the lab guide
Plan:
 Discuss the topics. Some topics are covered in slides, and some you will learn in
the lab
 Practice your new skills and knowledge in labs
 Final Q&A and end of the day
What are your experiences configuring our or others’ devices?

Do you often have to set up devices from scratch?
63
Process overview
Typical step sequence performed during initial configuration (CLI/GUI):
Login to the CLI or GUI using the default

1 Connect username and password
Define Management Policy with admin

2 Management Access name, password, management interfaces
Create controller RF Domain and Profile,

3 Controller Setup assign static IPs, hostname, etc
Install licenses after IP/Hostname/Profile

4 Licenses changes on the controller (important for
VX!)
Define RF Domain(s) and Profiles for APs

5 Sites, Profiles and Adoption and create Auto-Provisioning Policy
Connect and adopt APs

6 Adoption and Rest of Config Configure WLANs and other services
64
How do I connect to a “blank” device?
Device access is configured via the Management Policy, defaults are:

– Username: admin
– Password: admin123 (pre 5.7 – motorola)
– Management access via: SSHv2, HTTPS and SNMP
Management Interface Protocol Ports
SSHv2 TCP 22
HTTPS TCP 443
SNMP UDP 161 & 162
Default IP address on Controllers: 192.168.0.1/24

– Assigned to dedicated management port (if present) or to all ports
Default IP address on APs (if DHCP fails):
– 169.254.<last two bytes of MAC Address (Hex to Dec)>
– 84:24:8D:86:45:08  169.254.69.8
– Printed on label on the latest APs
Reset device to defaults

– Log in with reset : FactoryDefault (serial console only)
65
MANAGEMENT POLICIES
How do I set up management access?
Management Policy:
– Local management user accounts, roles,
access permissions
– Enable / disable management interfaces
– RADIUS / TACACS+ management user
authentication, auditing and scoping
– Management access restrictions (ACLs)
– SNMPv2 / SNMPv3 parameters
Best practices
– Enable only secure management interfaces
– Disable unnecessary management interfaces on controller-managed APs
• Do you need HTTP server on a controller-managed AP?
• You can still log into an adopted AP using MiNT!
66
66
MANAGEMENT POLICIES
User Roles / Access Permissions
Each management user is assigned:

– Role: which commands are accessible
– Allowed management interfaces
• In addition to global management interfaces
settings
– Assigned locally or via RADIUS/TACACS+
Special webuser-admin role

– Generate and print guest vouchers
– Custom GUI screen (no access to mgmt UI)
Role Permissions
Monitor Read-Only
Helpdesk Troubleshooting utilities (ex. sniffer), execute service commands, view/retrieve logs, reboots devices, etc
Network Configure all wired and wireless parameters (IP configuration, VLANs, L2/L3 security, WLANs, radios etc.)
System Modify general settings like NTP, boot parameters, perform firmware upgrades, auto install and control access
Webuser Create guest users for captive portal authentication (special UI)
Security Configure Wireless Firewall and QoS parameters
Provisioning Can add/remove/edit devices, but not Profiles/RF Domains/Policies, etc.
Superuser All configuration tasks.
67
67
MANAGEMENT POLICIES
Considerations
To avoid losing control of device, you want to ensure that each Management Policy has at
1 least one user with the role of _______________________________________________
Do you want the same management access settings on both Controllers and managed
2 APs? If not – what would be different? ________________________________________
Do you need Web GUI or SNMP on controller-managed APs?

3 _______________________________________________________________________
Is using HTTP and Telnet considered a good security practice? What should be used
4 instead? ________________________________________________________________
What can you do to further restrict management access to specific hosts or subnets?
5 _______________________________________________________________________

68
68
Pre-lab recap

 Explain key WiNG5 config elements such as RF Domain, Profiles,
Overrides, Policies, WLANs and their use cases
 Fully explain the process of initial device setup
 Explain two ways of accessing and configuring WiNG5 device
 Explain the Management Policy and its key settings for management access
 Explain admin user roles using the guide provided
To the lab!
69
LAB: INITIAL CONFIGURATION
Lab 01.01-04 together :

– CLI and GUI Essentials
– Configuration basics
Lab 01.05+, Lab 02 (full) on your own:

– Finish controller setup
– Management Policy, RF Domain, etc
– AP Profile and policies
– Auto-Provisioning Policy
70
Module recap

 Explain WiNG5 architecture, what requirements led to its development, how
it’s reflected in config model
 Explain key WiNG5 config elements such as RF Domain, Profiles,
Overrides, Policies, WLANs and their use cases
 Configure management access, ports, interfaces, IP, VLANs, DHCP Server,
RF Domains, Profiles and much more, using documentation
 Efficiently use both GUI and CLI for device management
 Explain the pros and cons of overrides
Share your experiences?

Did you find this information useful? How exactly?
You can now configure a single WING5 device!

Happy?
How do you make them work together?
71
HOW WING5
WORKS
WiNG5 Architecture
MiNT protocol
Device discovery and communications
Reference designs, best practices
Common mistakes
72
WING5 ARCHITECTURE
How does it scale from 1 AP to thousands of sites?
Distributed ?
73
WING5 ARCHITECTURE
Introduction
What you will learn How you will learn it
 What is the secret behind WING5 WiNG5 Architecture Overview

scalability and reliability? MiNT Protocol
 How do devices find each other? Device Adoption single-site
 How do devices communicate? Multi-Site Architecture
 How does adoption, clustering and Clustering, tunnelling
data tunnelling work? Reference designs, best practices
 How to set it all up? Troubleshooting & analysis
 What are the reference designs?
 “Do”s and “Don’t”s, best practices Numerous labs, exercises, demos
and common mistakes
What is the chance for a successful deployment without this?
74
WING5 ARCHITECTURE
High-level overview
75
WING5 ARCHITECTURE
Objectives and Plan

 What is the secret behind WING5 scalability?
 What are Data, Control and Management planes?
 How are they implemented in WiNG?
 How is WiNG architecture compared to others?
 How is RFDM different from Controller and why is it important?
 What are the key things to remember for WING5 Architecture
Plan:
 Discuss
 Recap
Do you have any experience architecting WING5 solutions?

 Other vendors?
Do you do deployments that you may call “complex”?
76
WING5 ARCHITECTURE
Three planes of network operation
Data Plane
– Making the packets flow
– L2/L3 forwarding, tunnelling
Control Plane
– Controlling the flows
– Firewalls, IPS, Dynamic Routing, QoS
– Roaming coordination
– Aggregation of statistics/events
– Remote debugging
Management Plane
– Network administration
– Device discovery, adoption,
configuration management, providing
single pane of glass view
77
WING5 ARCHITECTURE
Three planes of network operation
Mission-
Plane Traffic Smarts Real-time? Final load
critical?
Data
Control
Management
78
WING5 ARCHITECTURE
What is the secret of scalability?
Mission-
Plane Traffic Centralized
Smarts Controllerless Final
Real-time? WiNG5
load
critical?
Data High Low/none + + High
Control Med Med +/- +/- Med
Management Low High - - Low
80
WING5 ARCHITECTURE
RFDM vs Controller
Controller RF Domain Manager

Stores and manages system configuration No configuration control / mgmt
Communicates with already adopted
Adopts devices
devices
Only distributes upgrade images to site,
Initiates firmware upgrades
from controller
Central point of troubleshooting, statistics Collects and aggregates site statistics and
aggregation & reporting forwards to controller
Displays and configures SMART RF, Actually performs the SMART RF, etc
Distributed Firewall/WIPS, Roaming, Load calculations and communicates results to
Balancing devices on site
Failover happens automatically by default
via election
Failover requires clustering configuration
Works as dynamic failover target for MiNT
links, IPSec, L2TP tunnels, etc
Management Control
82
RF DOMAIN MANAGER
Key things to remember
Elected in each RF Domain
– Automatic failover
– Priority ~= device processing power
– Controller > AP
– Can be tweaked RF Domain = Store1 RF Domain = Store2
Who will always be the RFDM in RF Domain

with a controller?
– Even over WAN link! Be careful!
– Best practice: disable RFDM elections in
controller-managed RF Domains (makes
things faster)
Scalability
– APs can only manage 1 RF Domain RF Domain = Corp
• Up to 128 APs (24 low-end APs)

– Controllers can run multiple RF Domains
• “Virtual RF Domain Manager” feature
• Read the Release Notes for scalability
Key commands
– show global domain managers RF Domain = Store3 RF Domain = Store4
– show rf-domain-manager [on …]
83
WING5 ARCHITECTURE
What happens if you lose Management Plane functionality?

1 _______________________________________________________________________
What plane can WiNG5 a Controller belong to? What happens if you lose a Controller?
2 How to protect from this?
What plane can a WiNG5 AP belong to? What happens if you lose an AP? How to protect
3 from this?
___________________________________________________________________
What plane can an EX switch belong to? What happens if you lose it? How to protect
4 from this?
___________________________________________________________________
What if you have more than one RFDM for the same RF Domain (as a result of mis-
5 configuration)? How can this be possible? _____________________________________
Name the key difference between RFDM and Controller

6 _______________________________________________________________________

84
84
MINT PROTOCOL
85
MINT PROTOCOL
Objectives and Plan

 What is MiNT protocol about?
 What are the MiNT links?
 What are MiNT link layers?
 What are MiNT link levels?
 How are MiNT links formed?
 How do devices find each other?
 How to configure MiNT?
 What are the best practices and common mistakes for MiNT links?
Plan
 Discuss
 Recap
 Practice in the next lab
86
MINT PROTOCOL
How do WING5 devices communicate?
Proprietary MiNT protocol Exercise: which link is

which?
– Tunnels called “MINT Links”
– Management, Control and Data
traffic exchange, advanced features UDP 24576
– Automated, but allows fine-tuning
Over L2 or L3
– Layer 2: EtherType 0x8783
UDP 24576
UDP 24577
• Point to Multipoint
0x8783
– Layer 3:
• UDP 24576 (Control/Management)
• UDP 24577 (Data)
• Ports can be changed
• Point to Point
Distributed overlay network

– Discovery, management and control Layer __ Layer __
– …irrespective of the physical
topology!
87
MINT PROTOCOL
How are MiNT links established?
Automatic via MLCP Protocol

– Discovery, clustering, etc
– Can be selectively disabled for L2/L3
Manual configuration
– Explicit static L2/L3 config (rarely)
– Control VLAN parameter
– Controller VLAN / Host parameters
Golden Rule of MiNT:

– Don’t know – don’t touch
– Automation is sufficient in most cases
– Manual is mostly used for fine-tuning or
specific cases
Key MiNT commands

– Wait until the lab…
88
MINT PROTOCOL
What types of links exist?
Two types of MiNT links

– Level 1: Links device to RFDM
– Level 2: Links device to Controller
Level 1
Which link generates more traffic?
What if your Controller is your RFDM?

– Layer ___ Level __ link
Devices can have multiple links of various

levels
– Both levels allow adoption, clustering,
tunnelling etc…
Using incorrect Link Levels will most

certainly break your network
– Best Practices document is published
– Key ones reviewed later
89
MINT PROTOCOL
What are the two types of MiNT links?

1 _______________________________________________________________________
Which type do you think generates more traffic? Which is optimized for WAN?
2 _______________________________________________________________________
What if your Controller is your RFDM?

3 _______________________________________________________________________
Which protocol discovers devices and creates links automatically? Can you control it?
4 _______________________________________________________________________
Can you manually create MiNT links? What Level? What Layer? Why would you do it?
5 _______________________________________________________________________
What is the UDP port number for L3 links? Why are there two? Can you change them?
6 When? _________________________________________________________________
What is the point of MiNT protocol?

7 _______________________________________________________________________

90
90
DEVICE ADOPTION
How does a device find a Controller?
And what happens then?
91
ADOPTION

 How does a device find a Controller?
 How does L2 adoption work?
 How to set up L2 adoption?
 How does L3 adoption work?
 How to set up L3 adoption?
 What happens after the device is adopted?
 What are the best practices and common mistakes for device adoption?
Plan
 Discuss
 Recap
 Lab
92
ADOPTION
Overview
Wired adoption (L2/L3)

– Full auto (plug-and-play)
– DHCP, DNS, AutoVPN
– Manual (pre-staging) HQ Cluster
Wireless adoption (mesh)

– Manual pre-staging RF Domain
– Why wireless out-of-box adoption

is not a good idea?
Site Cluster
Single and multi-site architecture RF Domain
– Sites w/o on-site controller

– Hierarchical management
Access Points Access Points
93
ADOPTION
Layer 2 (VLAN) discovery and adoption
If you were an AP looking for L2 adoption by a Controller, what would you do?
1. Discover possible adopters
– Auto: L2 MiNT MLCP broadcast on all VLANs
– Manually: controller vlan <X> (not needed in most cases)
2. Establish MiNT link and try getting adopted
3. Upon failure – go L3
Do you need IP addressing for this to work? _________________________

What if AP is connected to a tagged switch trunk port? _________________
What if AP can’t adopt over L2 to controller, but can ping the controller?
– Common case 1: _______________________________________________
– Common case 2: _______________________________________________
– Common case 3: _______________________________________________
Native VLAN
Tagged VLAN Native VLAN
Tagged VLAN
94
ADOPTION
Layer 3 (IP) discovery and adoption
If you were an AP looking for L3 adoption, what would you do?

1. Discover possible adopters
– L3 MLCP via DHCP Options or predefined DNS name resolution
– Manually preconfigured L3 links
• controller host <ip|hostname> level <1|2> [options]
2. Establish MiNT IP (UDP) link and try getting adopted
– Set up IPSec VPN if required
3. Upon failure – go L2
Site DC
BR WAN GW
95
ADOPTION
Layer 3 (IP) discovery and adoption
Automatic: DHCP option 191

– Specify controller IP address(es) or hostname(s) - may mix
– “pool1=“ prefix is mandatory
– Additional options may be specified (level, port, RF Domain, VPN, etc)
pool1=nx01.corp.com,10.2.2.3, 10.2.2.4; udp-port=9999; level=2; rf-domain=site12

pool1=192.168.0.1
Automatic: DNS name resolution

– Device will attempt to resolve ‘WING-wlc.<domain>’
– No fine-tuning options (can fine-tune after config is pushed)
Manual (pre-staging): in Profile/Device settings

– controller host <ip|hostname> level <1|2> [options]
– Can specify more than one line
96
ADOPTION
L3 Adoption Examples – can you explain the process?
Campus WAN
Corporate DNS:
Corporate DHCP
domain.com
Option 191
wing-wlc IN A
pool1=192.168.10.101
VLAN 10
192.168.10.101
VLAN 10
Ge1: 192.168.10.1/24
S0: 192.168.100.1/24
VLAN 10: 192.168.10.1/24
VLAN 11: 192.168.11.1/24
VLAN 12: 192.168.12.1/24
S0: 192.168.100.2/24 S0: 192.168.100.3/24
VLAN 13: 192.168.13.1/24
Ge1: 192.168.20.1/24 Ge1: 192.168.30.1/24
VLAN 11 VLAN 12 VLAN 13
VLAN 20 VLAN 30
VLAN 11 VLAN 12 VLAN 13 VLAN 20 VLAN 20 VLAN 30 VLAN 30
Link Level? 1 Link Level? 2+1

Number of RF Domains? 1-4 Number of RF Domains? 3
97
ADOPTION
What happens on the adopter side?
Do I want this AP?

– Based on numerous factors: licenses, load, Auto-Provisioning Policy, etc
– May accept, reject or redirect to another (load-balancing, staging zones, etc)
Do I know this AP? (device section exists in Master Config file)
– If not – Run Auto-Provisioning policy to determine RF Domain and Profile
If anything fails – reject the device

– Out of licenses, no RF Domain + Profile match, denied by A-P Policy, etc.
– Device hangs in “Pending adoption”, restart after timeout
– show adoption pending
– show adoption log <adopter | adoptee>
Else: push config to the device

– Device must ACK the config (status “Wait ACK” and/or * asterisk)
– show adoption config-errors and show adoption log
– Upgrade device firmware if needed (reviewed later in Firmware Upgrades)
98
ADOPTION
What Plane does AP Adoption relate to: Data? Control? Management?

1 _______________________________________________________________________
What happens with the network during a Controller outage or cluster failover? Do you
2 need to load-balance APs in a cluster?
______________________________________________
Do you need an IP address in order to adopt an AP over L2? Can you have one?
3 _______________________________________________________________________
Name three ways how an AP can discover a Controller for L3 adoption

4 _______________________________________________________________________
For plug-n-play L2 deployments and multiple VLANs configured on AP GE ports, what

5 should be configured on switch ports facing the APs? ____________________________
What protocol is responsible for controller discovery during adoption? Can you control it?
6 _______________________________________________________________________
How does a device find the RF Domain Manager in these scenarios?

7 _______________________________________________________________________

99
LAB: ADOPTION
Single Site Scenario

– 03.1 L3 adoption setup
– 03.2 Plug’n’Play adoption over Layer 3
– Then stop!
100
MULTI-SITE
ARCHITECTURE
How does device find a Controller?
How does device find RFDM?
And what happens then?
101
MULTI-SITE ARCHITECTURE
Plan and Objectives

 How is multi-site architecture different from single site?
 How does a device find the Controller?
 How does a device find the RFDM?
 What is the correct MiNT setup?
 How to configure automated multi-site deployment quickly and safely?
 What are the best practices?
 What are the common mistakes and useful troubleshooting commands?
Plan
 Discuss
 Exercise
 Demo
Are you doing multi-site deployments?

Any experiences?
102
How do devices find the Controller?
Establish a Level 2 IP-based MINT link to DC

– DHCP option 191
– DNS (wing-wlc.<domain.suffix>)
– Preconfigured controller host entries
Get adopted
– RF Domain and profile assigned
– Configuration added to master config
– Firmware upgrade, if required
Receive configuration from CC:

– RF Domain, Profile(s) , Policies, etc
– Instructions on how to find local RFDM
All this can be pre-staged or out-of-box
103
How do devices find the RF Domain Manager?
Each remote site = unique RF Domain

– Must define a Control VLAN
• In RF Domain
– APs must be able to see each other on
the Control VLAN
– Typically the Native VLAN for the APs on
site
Site APs
– Discover each other over the Control
VLAN
– Form Level 1 Layer __ MINT link
– Elect a RF Domain Manager for the site
rf-domain store002
Where is your Control Plane now? location Berlin
timezone GMT+1
– On site / off site? country-code de
– What if this does not happen? use wips-policy WIPS-EU
control vlan 1
104
Link Optimization
After the RFDM election:

– All APs tear down their links to CC
– …but RF Domain manager
– L1 links over Control VLAN remain
All management goes through RFDM.

– Control operations are local
– Some management is also local
• FW updates caching, etc
– RFDM Capacity: 128 (24 low-end) APs
Greatly optimizes the bandwidth

Per AP Per Sensor
Radio
2-4 Kbps 3-5 Kbps
Site Bandwidth Latency MTU
>= 256Kbps <= 2000 ms >= 900 bytes
105
cc#sh mint links on site01-ap01

link vlan-1 at level 1, 19 adjacencies […]
link ip-10.0.1.1:24576 at level 2, 0 adjacencies, (unused)
cc#sh mint links details on site01-ap02

link vlan-1 at level 1, 19 adjacencies […]
link ip-10.0.1.1:24576 at level 2, 1 adjacencies, (used)
local IP 172.16.10.120, NAT'd
Which AP is RFDM? How can you confirm it?

– ____________________________________________________________
– ____________________________________________________________
What happens when RFDM fails? How can you control it?
– ____________________________________________________________
– ____________________________________________________________
How many APs on site?
What if multiple L2 links show as “used”?
106
Can I tweak discovery?
MiNT link parameters can be set up directly in config (pre-staging) or via the
same DHCP option 191:
– Ensure ip dhcp request options all is configured n the interface!
Parameter Meaning Default
level MiNT link level 1
udp-port UDP port for the MINT link 24576
hello-interval Interval between MINT hello packets, sec 15 (sec)
adjacency-hold-time Interval to wait before deeming the MINT link 45 (sec)
down, sec (>= 3x hello-interval)
rf-domain rf-domain name to assign N/A
Sample DHCP Option 191 Strings:

pool1=<controller-ip-address>,<controller-ip-address>;udp-port=33102;level=2
pool1=<controller-hostname>,<controller-hostname>;level=2;hello-interval=20;adjacency-hold-time=60
Also, IPsec VPN can be deployed automatically to controller or gateway

– Read the “Auto IPSec Secure” how-to
– Requires pre-staging with certificate or PSK
107
107
Pre-Staged Configuration
In most deployments Controller pushes the
configuration to the joining AP
!
– The configuration could potentially be ap8132 00-23-68-99-B6-7C
different from the pre-staged configuration use profile default-ap8132
use rf-domain default
of the device hostname ap8132-2
– What could the consequences be? ip default-gateway 192.168.21.1
interface ge1
switchport mode trunk
auto-learn-staging-config no switchport trunk native tagged
switchport trunk allowed vlan 21-25
– On Controller (enabled by default) interface vlan21
ip address 192.168.21.50/24
logging on
– Interface configuration (L1/L2/L3) logging console warnings
logging buffered warnings
• Speed/Duplex controller host 192.168.20.23 level 2
• VLANs/trunks/native VLANs/etc controller host 192.168.20.22 level 2
!
• Static IP address/mask/routes/DNS
– Hostnames
– Static Controller IP Addresses /
Hostnames
When use it? When not?

– LAN? WAN?
108
Where are Data, Control and Management planes in Centralized Controller architecture?
1 _______________________________________________________________________
What levels/layers of MiNT links are used from which devices?

2 _______________________________________________________________________
Which configuration parameter assures that devices will be able to find local RFDM?
3 Where is it defined? _______________________________________________________
What is the difference between Control VLAN and Controller VLAN?

4 _______________________________________________________________________
Which commands can you use to check/troubleshoot your deployment ? What should you
5 see? ___________________________________________________________________
Do you want Layer 2 MLCP in this architecture?

6 _______________________________________________________________________
When would you want to use auto-learn staging config?

7 _______________________________________________________________________

109
LAB: ADOPTION MULTI-SITE
Multi-Site Scenario
– 03.3 Plug’n’Play L3 adoption multi-site
– 03.4 AP Device-Specific Settings
Can you use this setup in Campus/LAN?

– Should you? When/why?
110
CLUSTERING
Removing single point of failure
111
CLUSTERING
Plan and Objectives

 How does clustering work?
 How is it different from WING4/centralized cluster?
 How to configure cluster?
 How to configure cluster quickly and safely?
 What are the best practices and common mistakes for clustering?
Plan
 Discuss
 Recap
 DIY lab (extra curricular)
Any needs for clustering in your deployments?

Any clustering experiences?
112
CLUSTERING
Overview
Best practice
– Two per cluster Active-Standby
– Up to 6 RFS supported for WiNG4 migration DC Cluster
AP/AAP Licenses are shared

– Persist across reboots RF Domain
– Controller cannot handle more than it’s physically

capable of
Site Cluster
Some feature licenses are shared, some are not
Single management interface

– Master configuration is synchronized between
Cluster members
– Can manage from any member Access Points
– Same FW version required
113
CLUSTERING
Configuration
Cluster Name:
Mandatory
– Cluster name defined = clustering is “on”

Peers (MiNT links):
– cluster member ip <...> level <1|2>
– Important: always build them over L3!
– Important: cluster link level = adoption link level!
– Important: only one link between cluster members!
Cluster Mode:
Optional
– Active (default) or Standby

Master priority: (0-255, 128 default)
– Highest priority will become the Master
– Pushes their config to Slave. What happens if wrong controller becomes Master?
Best practice: Use device overrides to set all cluster parameters
Vx9000 00-15-70-81-A2-9A Installed Licenses: 256 Installed Licenses: 0 Vx9000 00-15-70-A3-2B-9B

use profile corp-vx Cluster Licenses: 256 Cluster Licenses: 256 use profile corp-vx
use rf-domain dc1 use rf-domain dc2
hostname rfs6000-1 hostname rfs6000-2
.. Active Standby
Active ..
interface vlan 10 interface vlan 10
ip address 192.168.10.15/24 ip address 192.168.10.16/24
.. ..
L3 MiNT Link
cluster name Cluster1 cluster name Cluster1
cluster member ip 192.168.10.16 cluster member ip 192.168.10.15
cluster master-priority 255 cluster mode standby
! !
114
CLUSTERING
How to build a cluster quickly and safely?
On one Wireless Controller (Primary) build the master configuration for the network and
1 define the Cluster Name
On Secondary configure IP connectivity to Primary and issue

2 join-cluster <ip> user <…> password <…> level <1|2> mode <active | standby>
The Secondary will establish MiNT link(s), join the cluster, add it’s device sections (but not
… policies/profiles/wlans/rf-domains) to the Primary’s Master Config and pull the updated
config
Done: cluster is now operational and the configuration is synchronized in a safe way
!
115
CLUSTERING
Maximum of how many Controllers? How many do you really need? Why?
1 _______________________________________________________________________
Can Controllers in the cluster run different firmware versions?

2 _______________________________________________________________________
Do you need to manually sync config across cluster members?

3 _______________________________________________________________________
Cluster MiNT link level should be equal to ______________________________________

4
AAP and AAP licenses are persistent until______________________________________

5
Enforce ______ priority (set to ____ ) at the designated Master to ensure config integrity
6
How do you turn the clustering off?

7 _______________________________________________________________________

116
ADOPTION AND DEVICE MANAGEMENT
Module recap

 Fully explain and perform the process of AP adoption over L2 and L3
 Explain all available adoption and discovery methods
 Explain the role and functions of the MiNT protocol
 Explain considerations and options for L2 and L3 adoption
 Explain single and multi-site adoption guidelines
 Explain clustering
 List useful commands that give insight into the adoption and MiNT process
 Successfully complete all related lab activities
Any interesting lab experiences?

Was it helpful? How?
117
MINT TUNNELING
…one more thing
118
MINT TUNNELING
Objectives and plan

 How does MiNT Tunnelling work?
 What are the advantages and limitations of tunnelling?
 How to choose the right mode for your design?
 Identify typical traffic forwarding design mistakes and explain how to correct
them
Plan
 Discuss
 Recap
 Exercise
Are you using any form of tunnelling in your setups?

Do you see need for it?
119
MINT TUNNELING
Overview
WING5 devices can do the following with

traffic (wired and wireless)
– Bridge to a local interface, L2TP, etc.
or a MiNT tunnel
– Route to a local interface (incl NAT,
VLAN Bridge VLAN
PBR, etc), IpSEC tunnel, etc.
Ext. VLAN Ext. VLAN

MiNT Tunneling can be
– Centralized: all goes to Controller Mgmt Mgmt
• Controller capacity is limited VLAN

VLAN
– Adaptive: routed (L2) based on

destination MAC Bridge Ext. VLAN Bridge
Choose on per-VLAN basis!

– Our advantage
– Allows staged migration from
Centralized to Distributed Architecture
– Combine, Mix and Match, and you also
have the overrides!
120
MINT TUNNELING
Protocols
Controlled via “Bridging Mode”
(VLAN/WLAN)
– Local – locally bridged/routed
– Tunnel – tunneled over MiNT UDP 24576
Tunnel VLANs over MiNT links

– Ethertype 0x8783 (Multicast)
– UDP port 24577 (Unicast)
UDP 24577
0x8783
Both Level 1 and Level 2
– L2 tunneling is disabled by default
Overlay distributed bridge

– Tunnel VLAN traffic between devices
– …wired and wireless
– …irrespective of how those devices are
connected to the physical network
– Seamless L3 mobility for wireless
Layer 2 Layer 3
clients!
WiNG5 Network
121
LOCAL BRIDGING
Use case: Campus
Services, Configuration & Management
VLAN 10 VLAN 20
VLANs
VLAN 10 VLAN 20
10,20,30
VLAN 30 VLAN 30 VLAN 30 VLAN 30
Distribution
VLAN 30 VLAN 30 VLAN 30 VLAN 30 VLAN 30 VLAN 30
Local Local Local Local Local Local

Floor 1 Floor 2 Floor 3 Floor 1 Floor 2 Floor 3
VLANBuilding
30 is 1defined on all APs and Switches in the Campus to2 provide
Building
! seamless Mobility
122
VLAN TUNNELLING
Use case: Campus
VLAN 10 VLAN 20
Default Gateway for Default Gateway for

Tunnelled VLAN 100 Tunnelled VLAN 110
VLAN 10,100 VLANs10-80 VLAN 20,110

Tagged Tagged
VLANs 30-50 VLANs 30-50 VLANs 60-80 VLANs 60-80
Distribution
Building 1 Building 1 Building 1 Building 2 Building 2 Building 2

Extended Extended Extended Extended Extended Extended

Tunnelled
VLAN 100 VLANs are only
100 defined on theVLAN
Access Points,VLAN
Wireless Controllers
!
VLAN 100 VLAN 110 110 VLAN 110
and Core Layer 3 Switches (default gateways)
123
VLAN TUNNELLING
Use case: Layer 3 Mobility
VLAN 10 VLAN 20
Default Gateway for

Tunnelled VLAN 100
VLANs
VLAN 10,100 VLAN 20,100
10-80,100

Tagged Tagged
VLANs VLANs VLANs VLANs

30-50, 100 30-50, 100 60-80,110 60-80,110
Distribution
VLAN 30,100 VLAN 40,100 VLAN 50,100 VLAN 60,110 VLAN 70,110 VLAN 80,110
VLAN 30,100 VLAN 40,100 VLAN 50,100 VLAN 60 VLAN 70 VLAN 80
Building 1 Building 1 Building 1 Building 2 Building 2 Building 2

Local Local Local Extended Extended Extended

IP: 192.168.100.211/24 IP: 192.168.100.211/24 IP: 192.168.100.211/24 IP: 192.168.100.211/24 IP: 192.168.100.211/24 IP: 192.168.100.211/24
DFG: 192.168.100.1 DFG: 192.168.100.1 DFG: 192.168.100.1 DFG: 192.168.100.1 DFG: 192.168.100.1 DFG: 192.168.100.1
124
VLAN TUNNELLING
Use case: Guest Traffic
Corporate HQ DMZ Public Internet

Default Gateway for
Tunnelled VLAN 90
VLAN 10 VLAN 10 VLAN 80 VLAN 80,90 VLAN 100
VLAN 80,90
IP MiNT Link
Tunnelled VLAN 90 WAN

Tagged
VLAN 10 VLAN 10
VLAN 20 VLAN 30 VLAN 40 VLAN 120 VLAN 130
Floor 1 Floor 2 Floor 3 Branch 1 Branch 2
Extended Extended Extended Extended Extended

125
LOCAL BRIDGING
Exercise
VLAN 10
VLAN 11
VLAN 12
Server Wireless Controller

MAC: 2222.2222.2222 MAC: 3333.3333.3333
IP: 192.168.10.5/24 IP: 192.168.10.10/24
VLAN 10 VLAN 10
DFG: 192.168.10.1 DFG: 192.168.10.1
Ge0/1 Ge0/2
Ge0/1 Ge0/48 Ge0/47 Ge0/48 Ge0/48 Ge0/1

VLAN 11 VLANs 10-12 VLANs 10-12 VLAN 12
Station 1 Ge0/2 MAC: 1111.1111.aaaa Ge0/2 Station 2

MAC: 4444.4444.4444 IP: 192.168.10.1/24 MAC: 5555.5555.5555
IP: 192.168.11.100/24 MAC: 1111.1111.bbbb IP: 192.168.12.101/24
DFG: 192.168.11.1 IP: 192.168.11.1/24 DFG: 192.168.12.1
MAC: 1111.1111.cccc
IP: 192.168.12.1/24
VLANs 11-12 VLANs 11-12
Ge1 Ge1
AP1 AP2
Wireless Client 1 Wireless Client 2 Wireless Client 3 Wireless Client 4

MAC: 6666.6666.6666 MAC: 7777.7777.7777 MAC: 8888.8888.8888 MAC: 9999.9999.9999
IP: 192.168.11.101/24 IP: 192.168.11.102/24 IP: 192.168.12.100/24 IP: 192.168.11.103/24
DFG: 192.168.11.1 DFG: 192.168.11.1 DFG: 192.168.12.1 DFG: 192.168.11.1
126
CENTRALIZED FORWARDING
Exercise
Ext. VLAN
VLAN 10
VLAN 20
VLAN 21
Server Wireless Controller

MAC: 2222.2222.2222 MAC: 3333.3333.3333
IP: 192.168.10.5/24 IP: 192.168.10.10/24
VLAN 10 VLANs 10,20-21
DFG: 192.168.10.1 DFG: 192.168.10.1
Ge0/1 Ge0/2
Ge0/1 Ge0/48 Ge0/47 Ge0/48 Ge0/48 Ge0/1

Station 1 Ge0/2 MAC: 1111.1111.aaaa Ge0/2 Station 2

MAC: 4444.4444.4444 IP: 192.168.10.1/24 MAC: 5555.5555.5555
IP: 192.168.11.100/24 MAC: 1111.1111.bbbb IP: 192.168.12.101/24
DFG: 192.168.11.1 IP: 192.168.11.1/24 DFG: 192.168.12.1
MAC: 1111.1111.cccc
IP: 192.168.12.1/24
VLAN 11 MAC: 1111.1111.dddd VLAN 12
IP: 192.168.20.1/24
Ge1 MAC: 1111.1111.eeee Ge1
IP: 192.168.21.1/24
AP1 AP2
Wireless Client 1 Wireless Client 2 Wireless Client 3 Wireless Client 4

MAC: 6666.6666.6666 MAC: 7777.7777.7777 MAC: 8888.8888.8888 MAC: 9999.9999.9999
IP: 192.168.20.100/24 IP: 192.168.20.101/24 IP: 192.168.21.100/24 IP: 192.168.20.102/24
DFG: 192.168.20.1 DFG: 192.168.20.1 DFG: 192.168.21.1 DFG: 192.168.20.1
127
MINT TUNNELING
Technical details and useful commands
Tunneled VLAN can be of two flavours

– Extended: device can tunnel it to wire
– Overlaid: device will not tunnel it to wire (strict
WLAN  tunnel)
Wired-Tunnel gateway is called EVIS

– Typically 1 per tunnelled VLAN
– May be different for different VLANs (load balancing)
Bad omens (Why? What would happen?)

– Two EVISes on the same VLAN
– Same VLAN configured and local and tunneled
Capture packets on interface vlan X or ext-vlan

– What will you see otherwise?
rfs1#sh mint tunneled-vlans

vlan 101: source: WLAN vlan and bridging-mode configuration, state: extended, EVIS
0B.1B.9B.44 (self)
vlan 103: source: bridge vlan configuration, state: extended, EVIS 0B.1B.9B.44 (self)
rfs1#sh mint tunneled-vlans on ap1
vlan 101: source: WLAN vlan and bridging-mode configuration, state: overlaid
129
LOCAL BRIDGING
Check your understanding: local or tunnel?
A new WLAN is deployed across 150 APs with a dedicated VLAN to support it and you
1 need to touch each switch port
Your AP has VLANs 1,2,3,4 defined, but only VLAN1 comes through. What mode, what
2 problem? _______________________________________________________________
Bridging on remote site fails as soon as uplink goes down

3 _______________________________________________________________________
Client roams between APs located in different IP subnets w/o having to change IP
4 address ________________________________________________________________
Client pings a wired resource from AP. You are tracing the GE1 interface but can’t see
5 ICMP packets. What will you see instead? How should you trace? __________________
You controller should support 1000+ APs, but you start having problems after 250
6 _______________________________________________________________________
You are seeing unnecessary extra hops. How can you avoid it?
7 _______________________________________________________________________
Any questions before we move on ?

130
TUNNELLING
To tunnel or not to tunnel?
Local Tunnelled
Pros: Pros:
– No encapsulation overhead – More security due to tunnelling
– Shorter paths – Single point of control and integration
– Controller out of datapath – Easy to add new APs
– Can tunnel over L2 MiNT links over
– Very scalable WAN instead of complex
– Transparent bridging and routing IPsec/L2TPv3 setups
Cons: Cons:
– Traffic goes onto wired via multiple – Encapsulation overhead
points – harder to control – Extra hops
– More management overhead on – Controller may be a bottleneck
wired integration side • Number of tunnels
• Throughput
Better performance and scalability, but

harder to implement and maintain Easy to implement and maintain, may
have performance and scaling problems
– Demanding / real-time applications
– Use for applications w/o high
– Lots of APs requirements for throughput and
– What would be an example? latency
– What would be an example?
131
VLAN BRIDGING & TUNNELING
Module recap

 Explain how MiNT Tunnelling works
 Explain the advantages and limitations of tunnelling
 Choose the right mode for your design
 Identify typical traffic forwarding design mistakes and explain how to correct
them
Any interesting exercise findings?

132
REFERENCE DESIGNS
AND BEST PRACTICES
Putting it all together
133
REFERENCE DESIGNS AND BEST PRACTICES
Objectives and plan

 What are the reference designs for single and multi-site deployments?
 What is supported and what is not supported?
 What is Virtual Controller, Virtual RFDM, Hierarchical Management?
 What are the scalability considerations when choosing a design?
 What are the general best practices, trends and common design mistakes?
 How do I choose a correct design for my deployment?
 How do I ensure my design is configured in a supported way?
Plan
 Discuss
 No recap – exercises in the next module
Raise hand if you have ever seen a “peculiar” network design? 

 Raise hand if you have ever created one yourself!
134
REFERENCE DESIGNS
Single Site
Single Site
Standalone: Tiny sites with 1-2 AP’s; no need for centralized configuration
1
Virtual Controller: Small sites with 2-24/64 AP’s; centralized management within site
2
On-Site Controller: Sites with >24 AP’s; campus deployments; distributed forwarding –
3 centralized management
Standalone Virtual Controller On-Site Controller
135
REFERENCE DESIGNS: SMALL DEPLOYMENTS
Virtual Controller (Small sites with <= 24/64 APs)
Similar to “real” WiNG5 Controller
– Centralized configuration,
– Adoption
– Firmware updates Internet
– Statistics, troubleshooting, etc
Scaled down for small simple one-site deployments

– Single Site (one RF Domain)
– Up to 24 APs (64 with A7522/32)
– Independent APs only
– Same model only!
– Local bridging only (no tunneling)
– Captive Portal must run on each Access Point
– RADIUS server must run on VC
– Many policies are limited to one instance
– Mesh, etc, is supported
– More smaller limitations
– Uses SWIFT UI
Easy to upgrade to ‘full’ controller setup (NX/VX) Single Location

136
REFERENCE DESIGNS: SINGLE SITE
Single Site with <=50 APs (<= 20 low-end APs)
APs Adopted at Layer 2 or 3

– Level 1 MiNT links are OK
Single RF Domain, Controller is RFDM

– No Control VLAN (not needed)
– RFDM election disabled
• Controller is RFDM anyway rf-domain site
...
• no rf-domain-manager capable in profile anyap localap
AP profile(s) no rf-domain-manager capable
• Speeds up RF Domain convergence

in case of device add/swap
No tunneling restrictions. Both local and

tunneled WLANs are OK.
137
Single Site with 50-1024 APs (21-128 low-end APs)
!!! APs Adopted at Layer 3 !!!

– Layer 2 MiNT will generate too much
broadcast  extra heavy load
– Disable MLCP at Layer 2
Level 1 MiNT links are still OK

– Depends on controller capacity
– Cluster link level = adoption link level
Single RF Domain, Controller is RFDM

– !!! No Control VLAN !!!
– RFDM election disabled rf-domain big-site
...
profile nx7500 mycontroller
no mint mlcp vlan
Think twice before tunneling to controller ...
profile anyap localap
– Capacity, throughput, latency controller host 192.168.111.1
no mint mlcp vlan
– Better use local bridging no rf-domain-manager capable
...
wlan corp
bridging-mode local
138
Single Site with 1025+ APs (128+ low-end APs)
!!! APs Adopted at Layer 3 !!!
Level 2 MiNT links

– L1 links are too chatty = AP overload
VLAN 10
– L2 Cluster links
Core
Multiple Controller-Managed RF
Domains
– Split per building, area, floor

• <=256 APs per RF Domain
• Number of RF Domains depends on
Controller Virtual RFDM capability
– No Control VLAN VLAN 11 VLAN 12 VLAN 13
– RFDM election disabled

rf-domain very-big-site
controller-managed
Think twice before tunneling to controller ...
profile anyap localap
– Capacity, throughput, latency controller host 192.168.111.1 level 2
no rf-domain-manager capable
139
VIRTUAL RF DOMAIN MANAGER
Configuration and operation
Controller manages multiple RF Domains

– Campus with multiple huge RF Domains (>128 APs)
– WiNG4 migration
Configuration:
– RF Domain -> Controller Managed
– Allows having some RF Domains on controllers and some on APs for mixed
deployments
Model RF Domains
RFS4000 / NX4500 2
RFS6000 / NX6500 5
RFS7000 10
NX7500 40
NX9500 200
VX9000 0
140
SINGLE SITE BEST PRACTICES
Things to remember and care about
Adoption
 > 50 (>20 low-end) APs  MUST use Layer 3 adoption!
 1025+ (128+ low-end) APs -> MUST use Level 2 MiNT links!
 Disable automatic learning of staging config (no need in most cases)
 Disable automatic FW upgrades (no device-upgrade auto)
RF Domains
 Try making controller the only RFDM (Virtual RFDM or single RF Domain)
 Disable RFDM elections for controller-managed RF Domains
 No Control VLAN
Separate management policy for APs

 No HTTP/HTTPS/SNMP/Telnet/SSH (serial console still works)
 Still manageable via controller (connect <hostname|mint-id>)
Other
 Learn customer’s STP design and its impact on you (PortFast on AP ports, etc)
 Disable CDP/LLDP if not supported by infrastructure
141
REFERENCE DESIGNS
Multi Site
Multi-Site
Teleworkers: multiple 1-cell sites, auto VPN tunnel to DC / cloud

4
Controller in the DC: Sites with <=128 AP’s; no onsite controller, real-time operations
5 localized within site = efficient use of WAN, site survivability
Hierarchical: Multiple sites with >128 AP’s; site controllers managed from DC controller;
6 efficient use of WAN, site survivability
NX/VX NX/VX NX/VX
Centralized Centralized Centralized

Teleworkers No onsite controller Onsite controller
142
REFERENCE DESIGNS: MULTI SITE
Multi Site with 1-128 APs (24 low-end APs)
APs Adopted at Layer 3

– Using Level 2 MiNT Links
Within site
– Separate RF Domain
– Level 1, Layer 2 MiNT links
– Must define Control VLAN
– Disable MLCP L2 to avoid issues
• Control VLAN will still create link
Level 2 IP link between cluster members
Usual tunneling considerations

– Do you want to tunnel over WAN? rf-domain remote-site
control-vlan 1
– Traffic will be tunneled through RFDM ...
profile nx7500 mycontroller
• Optimized bandwidth no mint mlcp vlan
• Dynamic failover ...
profile ap7532 localap
• Requires a single tick configuration controller host 192.168.111.1
no mint mlcp vlan
143
REFERENCE DESIGNS: MULTI SITE
Multi Site with 129-4096 APs (>24 low-end APs)
Must use Site Controller (SC)

– SC Adopted at Layer 3
• DHCP option 192
– Using Level 2 MiNT Links 32 x APs 40 x APs
Within site
– APs adopted at Layer 2/3 to SC
• (follow campus rules)
– Separate RF Domain
– Level 1 IP (> 24AP) MiNT links
– No Control VLAN defined
Level 1
Level 1
One level of hierarchy
– DC can lend licenses to CC
– Clusters can adopt clusters
128 x APs 72 x APs
Usual tunneling considerations
144
REFERENCE DESIGNS
Bringing it all together…
Un-paralleled scaling and

manageability for large distributed
deployments:
– Highly scalable supporting
1000s of sites/devices
– With or without onsite controller
– Plug-n-play Access Point
deployments
– Simplified Management
– Simplified Configuration
– Full Access Point Survivability
– WAN Bandwidth Optimization
– Simplified Debugging
145
145
MULTI-SITE BEST PRACTICES
Things to remember and care about
Adoption
 Level 2 IP-based to Controller
 RF Domain size > 128 (24 low-end) APs requires on-site controller
 Consider if automatic learning of staging config is required
 Disable automatic FW upgrades (no device-upgrade auto)
RF Domains
 Each site = unique RF Domain
 Multiple RFDMs for the same RF Domain = trouble
 Control VLAN is a must!
 Use aliases and RF Domain overrides
Tunnelling
 Tunnelling L2 over L3 is rarely a good idea (at least, control broadcasts)
 MiNT tunnelling is easy to set up, but proprietary
• Must expose a controller in the DMZ
• Consider L2TP instead
• Both can automatically work through RFDM with dynamic failover
 What if your uplink fails?
146
REFERENCE DESIGNS
Best practices
Layer 3 (IP) Level 2 adoption whenever possible

 Layer 2 for demos, PoCs and smaller sites
 VX officially supports only L3 adoption (multicast + VM requires extra care)
 Many more advanced considerations apply, just do it © – go L3
 How can you disable Layer 2 MiNT adoption?
Level 2 links to Controller

 Unless your controller is your RFDM (single RF Domain)
Tunnelling and cluster

 Cluster MiNT link level = adoption mint link level
 No redundant MiNT links (L1+L2) in cluster
 Active/Standby cluster, don’t forget both IP addresses in the pool1 option
 Use tunnelling only when you need it

 Tunneling may cause L2 loops – beware!
 Clustered controllers must see each other on every tunneled VLAN
147
REFERENCE DESIGNS AND BEST PRACTICES
Module recap

 List six typical WING5 architectures and explain when they are used
 Explain how those architectures transform into each other for seamless
growth and scalability
 Explain Virtual Controller, Virtual RFDM, Hierarchical Management features,
their use cases, benefits, limitations
 Explain best practices and scalability considerations for each design
 Choose a correct design for your deployment
 Build a correct and supported configuration for the chosen design
Any experiences or opinions to share?

Was this helpful? How?
Any questions before we move on to exercises?
149
CHECK YOUR
UNDERSTANDING
No recap this time
Plan: analyse and troubleshoot cases
150
CHECK YOUR UNDERSTANDING
Example: Tunnelling issues
Two Extended WLANs: Guest and Corp
Guest WLAN traffic is Tunnelled to a DMZ

controller over IPSEC
Corporate WLAN traffic is bridged by the

Corp Controller
Internet speed tests show poor results
Guest WLAN
1 − Upstream < 1Mbps
− Downstream < 1Mbps
2 Corp WLAN
− Upstream < 2Mbps
151
TROUBLESHOOTING ISSUE 1
Issue 1 – Validate Wireless LAN Performance
1 Validate Extended Wireless LAN
Connect Wired PC to Corp

Controller
Run IPERF between Wired PC and

Wireless PC
Result:
Upstream: 20Mbps
Downstream: 24Mbps
152
Issue 1 – Validate IPSEC tunnel Performance
2 Validate IPSEC tunnel

performance
Connect Wired PC to DMZ

Controller

Wireless PC
Result:
Upstream: 20Mbps
Downstream: 24Mbps
153
2 Validate IPSEC tunnel

performance
3 Validate DMZ LAN Switch
Connect Wired PC to DMZ LAN

Switch

Wireless PC
Result:
Upstream: 0.8 Mbps
Downstream: 1.2Mbps
154
Issue 1 – RESOLVED
What was the Issue?

• On the LAN switch the Port was forced to 100Mbps Full Duplex
• On the RFS Controller the Port was set for auto negotiation
• This strangely caused the RFS to do 100Mbps Half Duplex
• Once the port settings were changed we got 20+Mbps up and down
155
Connect Wired PC to Corp

Controller

Wireless PC
Result:
Upstream: 2 Mbps
Downstream: 20+ Mbps
156
Issue 2 – Eliminate Wired Infrastructure
2 Eliminate Wired Infrastructure
Connect AP7131 and Wired PC to

Corp Controller

Wireless PC
Result:
Upstream: 20+ Mbps
Downstream: 20+ Mbps
157
Issue 2 – RESOLVED
What was the Issue?

• On the LAN switch on which the AP was connected there were bunch of
traffic shaping policies for voice, video and data
• One such policy was mapped to all UDP protocol with port numbers
ranging between 16,000-32,000
• Guess what important protocol falls into that range?
• Policy was shaping upstream packets  our throughput suffered
• Policy removed  throughput was 20+ Mbps in both directions
158
Architecture issue: Local Site
Local site (LAN)

– NX7500, RF Domain “DC”
– 300 AP7532, RF-Domain “HQ”
Will it work at all?

– ___________________________
– ___________________________
What will happen?
– ___________________________
– ___________________________
How to fix it?
– ___________________________
– ___________________________
159
Architecture issue: Multi-Site
Multi-Site rf-domain store001

timezone CST6CDT
– NX7500, RF Domain “DC” use smart-rf-policy store-FCC
use wips-policy WIPS-US
– 20 APs, RF-Domain “store001” override-wlan storewlan ssid STORE001
Will the network work at all?

– Will devices adopt?
– What will happen?
– What will be with the WLANs?
Which commands will you run to validate

and confirm your guesses?
How to fix it?
160
Architecture issue: Multi-Site
Setup as per diagram

– DNS set up for out-of-box adoption
– APs can reach controller
– Site uses tunnelling (no trunks on APs)
Will the network work at all?

– Will APs find the controller?
– Will APs adopt?
– Will APs form local RF Domain?
– What will you see in stats/logs?
How can you fix it?

rf-domain store002
location Berlin
timezone GMT+1
country-code de
use wips-policy WIPS-EU
control vlan 21
161
Adoption Troubleshooting
AP does not adopt. What will you check?

– What is required for AP to adopt?
– Which commands or techniques will you be using?
– How could you fix it?
Can you determine the general root cause for these cases?
– AP adopts with Profile and/or RF Domain other than defined in AutoP policy
– AP can see the controller, but cannot / won’t adopt
– AP has connectivity (L2 or L3) to the controller (can ping) but does not try to
adopt
– AP tries to adopt, but cannot reach the controller
LAN/WAN
162
Adoption Troubleshooting – Answers – Configuration
AP can see the controller, but cannot adopt:

– show adoption pending – should see the AP and the reason for refusal
– show adoption log adopter / adoptee
– Check the auto-provisioning policy rules
• Did you correctly set up L2 (VLAN) vs L3 (IP) adoption?
• Do you have “Adopt If No Rules Match” enabled?
– Check if the AP is stranded after getting your config
• Auto-learn staging config?
AutoP Policies only work for new APs by default:

– If a device section already exists in the
config file – policy will not trigger
– show wireless ap configured to check
– Or use reevaluate-everytime
group20-rfs4000# show wireless ap configured
+---+----------------+-------------------+----------------+------------------+----------------+
|IDX| NAME | MAC | PROFILE | RF-DOMAIN | ADOPTED-BY |
+---+----------------+-------------------+----------------+------------------+----------------+
| 1 | group20-ap650 | 00-23-68-31-14-2D | group20-ap650 | group20-rfdomain | un-adopted |
| 2 | group20-ap7131 | 00-15-70-C7-8F-F0 | group20-ap7131 | group20-rfdomain | un-adopted |
+---+----------------+-------------------+----------------+------------------+----------------+
163
Adoption Troubleshooting – Answers – Discovery / connectivity issues
L2 Adoption checks:
– AP is on the same VLAN as Controller
– VLAN tagging configuration on both AP and the LAN switch port
– Native VLAN configured correctly all the way through to Controller
– No ACLs between (or directly on) the Controller and AP drop EtherType 0x8783
– Broadcast/multicast filtering is not present on LAN switches
– STP is not enabled on the LAN switch port connected to the AP
L3 Adoption checks:
– Check DHCP configuration
• AP has received correct DHCP parameters (incl option 191 syntax)
• show ip dhcp-vendor-options, service show dhcp-lease
– Check IP connectivity between Controller and AP (both ways!)
• Check default gateways on both controller and AP
• Wired client on the AP VLAN can ping the controller and vice versa
– No ACLs between (or directly on) the Controller and AP drop UDP 24576
– STP is not enabled on the LAN switch port connected to the AP
– Check whether pre-staged config is learned properly
164
Adoption issue
Remote site adopting to controller in DC dhcp-server-policy site-dhcp

option ControllerIP 191 ascii
– DHCP set up for out-of-box adoption dhcp-pool mgmt

network 172.16.11.0/24
– APs can ping controller default-router 172.16.11.1
address range 172.16.1.11 172.16.1.99
– APs not trying to adopt to controller option ControllerIP 10.1.1.1
What will you check for?

– Which commands will you be using to confirm your guesses?
How can you fix it?
Is that enough?
165
Adoption issue
WAN deployment with VPNs

– NX7500, RF Domain “DC”, 20 APs, RF-Domain “Site1”
APs discover controller no problem, controller pushes config

– APs hang with * or “Wait ACK” in adoption status, then starts all over
nx-dc# show adoption status
-------------------------------------------------------------------
AP-NAME VERSION CFG-STAT MSGS ADOPTED-BY
-------------------------------------------------------------------
AP7532-1 5.7.0.0-057R *configured No nx-dc
AP7532-2 5.7.0.0-057R *Wait ACK No nx-dc
AP7532-3 5.7.0.0-057R *configured No nx-dc
What are two possible reasons?

– ____________________________________________________________
– ____________________________________________________________
Which troubleshooting steps will you take? ____________________
How can you fix it? ____________________________________________
166
REFERENCE DESIGNS TROUBLESHOOTING
Module recap

 Identify common mistakes made during deployment, and how they manifest
themselves
 List troubleshooting commands and techniques for each of the reviewed
cases: single site, multi-site, adoption, tunnelling
 Apply troubleshooting techniques to identify and fix issues
 Quite confidently say that you are “quite confident” troubleshooting WING5
infrastructure-related issues
− WLAN/feature troubleshooting to follow
Any experiences or opinions to share? Have you encountered any similar

situations before?
Any questions before we wrap up?
167
PART 1 SUMMARY
What you have learned:
 Portfolio, licensing, key concepts
 Device configuration and management
 How WiNG5 architecture operates
 Adoption, tunnelling, clustering, MiNT
 Reference designs
 Best practices
 Common design/deployment mistakes
and troubleshooting
Was is useful?
Good job! Was is fun?
Any final comments?

168
PART 2: WING
WLANS
Wireless LANs
Captive Portals
WLAN Optimization Features
Mesh
169
WLANS AND WLAN
FEATURES
Providing Wireless Service
170
WLANS AND WLAN FEATURES
Module Intro

 Explain and configure three types of WLANs in WiNG5
− PSK-based WLANs
− 802.1X-based WLANs with external RADIUS server
− Hotspot-based WLANs with onboard Captive Portal
 Explain supported WLAN encryption and authentication modes
 Identify typical use cases, designs and options for above features
 Explain where is TKIP gone, and why TKIP and WEP are bad for 802.11n/ac
Plan:
 Discuss the topics.
 Practice your new skills and knowledge in the labs
What are your experiences performing this on WiNG5/4 or

other vendors’ devices?
What is the proportion or RADIUS/PSK/Captive Portal
deployments in your work?
171
WLANS
Introduction
Define a WLAN object with:

– WLAN settings: ESSID, security, DTIM, QoS, etc
– VLAN mapping: Static or Dynamic
– Bridging mode: Local / Tunnel
..then map to AP Radios

– Using Profiles or Overrides
– WLANs assigned to device radios will override all
WLANs assigned from the profile
– Up to 16 WLANs per Radio
WLAN overrides
– Status: selectively enable/disable WLANs
– SSID: Have the same WLAN under different name
– VLAN Pool: Have the same WLAN mapped to
different VLANs
– Keys (WEP and WPA/WPA2 PSK): different keys
per site
– Assigned via RF Domain or Device Overrides
172
WLANS
Encryption
Encryption on APs (local). Supported:
Migrate from WEP w/o deploying extra WLAN

– Multiple WLANs with same ESSID but different encryption ciphers
– Supported for WEP and CCMP
Fine-tuning: PSK/WEP Key overrides per RF Domain
Wi-Fi Alliance banned ‘pure’ WPA/TKIP starting Jan 01 2014. WEP is next.
Still can be done via CLI service commands
WPA2-CCMP and None are the only encryption methods supported in 802.11n/ac.
802.11 standard prohibits fast data rates when WLAN uses any other encryption.
173
WLANS
Authentication
Authentication methods supported:
– 802.1X EAP, EAP-PSK, EAP-MAC
– Kerberos
– MAC
– LEAP (pass-through)
– None
802.1X EAP with PSK

– CCMP encryption with 802.1X or PSK authentication (client chooses at
association)
– Easy transitions from PSK to 802.1X
Fast and smooth roaming

– 802.11r FT, PMK Caching, OKC, Pre-Auth
– For WPA/WPA2-Enterprise WLANs
EAP Credentials caching (up to 1 day)
Parameters defined via AAA Policy

– Required for 802.1X EAP, 802.1X EAP PSK and MAC authentication methods
174
WLANS
Choosing between PSK vs. EAP
PSK EAP
Widely supported by clients May not be supported by all clients

Harder to set up by users
Easily understood by users – Set up varies by device
– Easy set up, easy for BYOD Needs PMK caching/OKC to speed up
Less roaming delays roaming
Unique PMK for every client
Same PMK for all clients on the – Allows having clients with different
WLAN security requirements on the same
WLAN
– Vulnerable to attacks such as
Unique management benefits and little
Reaver
overhead
Management overhead – Little needs to be done on client side
– Periodic rotation? – Plenty of onboarding solutions for all
types of clients make even EAP-TLS
– Device compromise? possible
– Pushed to all clients! – Can identify each user and device
– In fact, PEAP is dying out with
onboarding and BYOD spread
175
Dynamic VLANs
WLANS
VLAN Mapping
VLANs can be mapped to WLANs
– Statically (at config time): As written in the WLAN profile (single / pool)
– Dynamically (at association time): RADIUS, LDAP, Role-Based Firewall,
Hotspot
• Based on server replies. Can also assign ACLs, Access time windows, etc.
• Cached along with credentials, fallback possible if no server reply.
• Requires 802.1X or MAC Authentication mode
Can map to local or tunnelled VLANs
Static VLAN pool Dynamic VLAN assignment
Load Balanced
WLAN WLAN
RADIUS or LDAP
Server
User: Bob User: Sally User: Jim

VLAN: 11 VLAN: 13 VLAN: 12
WLANS
WLAN Assignment
WLAN (ESSID)  BSSID  Radio

– BSSIDs per AP Radio: 16
– ESSIDs per AP Radio: 16
BSSID is derived from the MAC address of the AP radio
BSSID MAC Address Explanation
1 00:23:68:72:20:DC Same as MAC address of the radio
2 00:23:68:72:20:DD Radio MAC address + 1
3 00:23:68:72:20:DE Radio MAC address + 2
… … …
Best Practices
– One-to-one mapping of ESSID to BSSID
• Clients view each BSSID as a different AP
• Each individual BSS/ESS adds overhead traffic
– Set the DTIM interval to
• 10 for battery-sensitive client devices that have to work long shifts
• 2-3 for VoIP
177
AAA SERVICES
What can WiNG5 do?
Authenticator (via AAA Policies)

– Supports 802.1X and MAC (customizable MAC address format)
– Supports Wireless and Wired authentication
– Multiple authentication and accounting servers with balancing and failover
– Certificate Support
– Credentials cached for up to 1 day
On-board RADIUS Server (RADIUS Server Policies)

– TLS, TTLS (MD5, PAP, MSCHAPv2), PEAP (MSCHAPv2, GTC)
– Multiple User Pools for different services
– Database: Local, RADIUS Proxy, LDAP Proxy (per WLAN)
• TTLS-PAP, PEAP-GTC
• MS Active Directory integration for additional PEAP-MSCHAP
• Redundancy (including fallback to local database)
– On APs and Controllers
178
AAA SERVICES
AAA Policies – Server Pools
Each AAA policy can include a pool of up to 6 RADIUS authentication and 6

accounting servers:
– Possible server types: integrated (controller/AP), external
(IAS/NPS/ACS/SBR/etc)
– Unique IP/hostname, port, secret, realm, etc per server
– Can mix and match
Requests can ether be load-balanced or fail over between all servers in the pool
RADIUS Server Pool RADIUS Server Pool

AAA
AAA
Load-Balanced Fail-Over
179
AAA SERVICES
AAA Policies – Server Proxy Modes
For flexibility each RADIUS server entry includes a proxy operating mode:
– None: RADIUS exchanged directly between AP and RADIUS server
(Requires IP Address on the AP)
– Through-Controller: RADIUS exchange is proxied through the Controller
managing the AP
– Through-RF-Domain-Manager: RADIUS exchange is proxied through the
local RF Domain Manager (elected Wireless Controller or AP)
RADIUS Server Pool RADIUS Server Pool RADIUS Server Pool

AAA
AAA
AAA
WLAN WLAN WLAN WLAN WLAN WLAN
Proxy Mode: None Proxy Mode: Through-Controller Proxy Mode: Through-RF-Domain-Manager
180
AAA SERVICES
RADIUS – Examples
Can you explain the goals behind these designs?
Which one is the most popular?
Users Users
AAA Users AAA Users Users
AAA AAA
Primary Secondary Primary Secondary Primary Secondary
Primary Secondary
AAA AAA
Tertiary
Users
AAA
AAA Redundancy Example 1 AAA Redundancy Example 2 AAA Redundancy Example 3
Typical AD integration Generic RADIUS/LDAP Multi-site local DB

Users: AD Users: RADIUS/LDAP Database Users: Onboard RADIUS
AAA: MS NPS/IAS AAA: Controller as RADIUS/LDAP proxy AAA: On controller and site AP
Where does AAA policy point to? What is the AAA server pool config?
What is the role of Controller?
182
AAA SERVICES
Best Practices
 Enable EAP for all proprietary or mission-critical WLANs

 Install a valid digital certificate on all infrastructure devices
 Why?
 Use RADIUS + MS NPS/IAS for AD Integration instead of

LDAP
 AD schemas change with every Windows Server release
 Let MS handle MS-to-MS integration
 It’s free!
 When using Roaming with RADIUS

 Latency may be an issue
 Make sure PMK Caching works
 Or better FT (802.11r) / Voice Enterprise
183
WLANS: PSK AND 802.1X
The deployment is using 802.11ac APs and 802.11n clients, but they don’t see any high
1 rates. What is the most probable cause? ______________________________________
_______________________________________________________________________
How many BSSIDs on a 3-radio AP8163?
2 _______________________________________________________________________
What’s the difference between BSSID and ESSID?

3 _______________________________________________________________________
Where is RADIUS client in 802.1X: STA, AP, Controller?

4 _______________________________________________________________________
When would you want to proxy RADIUS traffic over MiNT?

5 _______________________________________________________________________
You see beacons in the air with ESSID of your WLAN, but the BSSID does not match the
6 MAC of your radio. Could it be your AP? When? When not?________________________
What is the recommended way to integrate with AD?

7 _______________________________________________________________________
Any questions before we move on to the lab?

184
LAB: WLANS AND AAA
Lab 04: PSK WLAN

– Create PSK WLAN
– Test
Lab 05: 802.1X WLAN

– [Pre-configured on-board RADIUS Server]
– Create AAA Policy
– Create 802.1X WLAN
– Test
– [Extra] Examine RADIUS server setup
185
WLANS: PSK AND 802.1X
Section recap

 Explain and configure basic WLANs in WiNG5
− PSK-based WLANs
− 802.1X-based WLANs
 Explain WLAN Mapping
 Explain VLAN assignment
 Explain AAA policies and typical AAA integration designs
Any interesting thoughts?

186
CAPTIVE PORTALS
…be my guest!
187
CAPTIVE PORTAL
Introduction
Multiple Captive Portal instances per device Web pages

(one per WLAN) – Mobile Friendly, customizable, instant
preview
Various Access Modes: – Or fully user-defined HTML with custom
CSS/JS, etc
– Username and password (Radius / LDAP) – Hosted locally on device or externally on
– Social Sign In (OAuth) HTTP server
– User Registration: custom form with email or – Mass push techniques
SMS authentication
– “Splash page” mode
– Silent: generate SNMP trap /syslog and RADIUS and LDAP integration (VLAN, Role,
permit access etc assignment)
– Returning users support HTTP (default) or HTTPS connection modes
– Optional “Terms and Conditions” check box Pure wired CP operation mode
and T&C page Custom webuser-admin for bulk user
– Time-based access (until certain time or provisioning
overall duration)
– Bandwidth tracking (with throttling) PassPoint support
– Voucher support User analytics and reports
And many other features…
How much is the license?

Free of charge!!!
…right answer gets a license for 1yr
188
CAPTIVE PORTAL
Enforcement Modes
Choose when to direct users to Captive Portal

– Off – Captive Portal is disabled on the WLAN
– On – Captive Portal enforcement is enabled for all Wireless Clients even if
primary authentication succeeds
– Fallback – Captive Portal is enabled for all Wireless Clients if MAC or EAP
authentication fails (no encryption)
What do you think is the use case?

– Allow returning users to access the hotspot w/o the annoying login screen
Off On Fall-Back
‘Optional’ ‘Optional’
Captive EAP / MAC Captive
Primary Primary
Portal Authentication Portal
Authentication Authentication
189
CAPTIVE PORTAL
Web Pages
Web page types

– Login: redirect to this page flash/:
– Welcome: on auth success

–
hotspot/
Failed: on auth failure
– User Agreement: terms & conditions wlan-name-1/
– Etc…
Web pages can be defined and stored as: wlan-name-2/
– Internal: Stored on the device flash. Can be login.html

partially customized from the UI.
– Advanced: Fully customized HTML files uploaded welcome.html
onto portal device flash

• Can be uploaded manually or automatically fail.html
– External: Stored on external HTTP server,

specified as URLs agreement.html
Configured per Captive Portal Policy
190
CAPTIVE PORTAL
Capture & Redirection
Prior to authentication, the Captive Portal will block traffic except for
– ARP, DHCP, DNS, White Listed hosts and packets to/from the captive portal
server (TCP ports 880 & 444)
Which common protocol is missing?
HTTP Capture & Redirection HTTPS Capture & Redirection
Wireless Captive Backend Wireless Captive Backend

Client Portal Network Client Portal Network
User Associates to the User Associated to the

WLAN WLAN
DHCP Discover DHCP Discover
DHCP Offer DHCP Offer
DHCP Request DHCP Request
DHCP ACK DHCP ACK
User attempts to connect User attempts to connect

to a Web Page to a Web Page
DNS Query (www.example.com) DNS Query (www.example.com)
DNS Response (216.77.22.133) DNS Response (216.77.22.133)
HTTP Req. (216.66.22.133 Port 80) HTTP Req. (216.66.22.133 Port 80)
HTTP Redirect (Portal IP Port 880) HTTP Redirect (Portal IP Port 444)
HTTP Req. (Portal IP Port 880) HTTPS Req. (Portal IP Port 444)
HTTP Response (Login Page) HTTPS Response (Login Page)
191
CAPTIVE PORTAL
Configuration – Captive Portal Policies
Local or
Captive Portal implementation consists of two parts, Extended WLAN
VLAN
each defined by the same Captive Portal Policy
– The “Captive” WLAN:
• AP will perform “Capture” on this WLAN
Captive
• Select the Enforcement Mode Portal
Policy
• Map to your hotspot VLAN (Local or Tunnelled)
– The “Portal” Device (same AP or other device)
• Hosts the Portal part (web server)
• Talks to AAA servers (if required) using AAA policy Device Profile
• Must we reachable over TCP/IP via the hotspot VLAN
Same Captive Portal Policy must be assigned to both

Virtual IP Virtual IP
parts to make Captive Portal work. Interface Interface
192
CAPTIVE PORTAL
Example 1: Public Hotspot
Data Center:
Web Server
Login Pages
AP Adoption VLAN 10 VLAN 10 Provisioning
User DB
Public Network / MPLS:
User Traffic
IPSec
World Wide Web
Default Gateway for Local VLAN 4094

Local VLAN 100
Remote Site (Public Hotspot): Captive Portal
DHCP
Firewall
NAT
IPSec VPN
Local VLAN 100
193
CAPTIVE PORTAL
Example 2: Enterprise Tunnelled Guest Access
Public Network: DMZ: Captive Portal Data Center:

DHCP
Firewall
Ext. VLAN 200
NAT Firewall AP Adoption
VLAN 20
Ext. VLAN 200
World Wide Web Default Gateway for

Tunnelled VLAN 200
Distribution:
Guest Access WLAN:

Ext. VLAN 200 Ext. VLAN 200 Ext. VLAN 200
194
CAPTIVE PORTAL
Hotspot Recommendations
Can you explain, why the following are best practices?

 Use authentication or, better, registration with
confirmation
 Keep access logs for a couple months (if legal)
 When permitting access to private networks, use
WPA2-PSK encryption with strong passwords
 Install digital certificates on infrastructure devices
 Use a dedicated VLAN for hotspot traffic
 Limit/throttle guest access to private networks and
high-bandwidth applications
195
CAPTIVE PORTAL
When hotspot fails
Data Center
WiNG5 can alert user when Captive
AAA Server HTTP Server
Portal Service is not operational
– RADIUS Server is lost DC Controller
– External HTTP server is lost
– Controller is lost
– Another Critical Resource is lost
• DHCP server
• WAN next-hop RFDM
• DNS server
• etc…
Present a customizable ‘Failure’ web
page to the user
Internet
Remote Site
196
GUEST REGISTRATION
Registration Methods
Device (MAC) Registration
– Prompt user for details based on Access Type and configuration (can choose fields)
– Store device MAC address in the controller’s database
– Same MAC will not require authentication on subsequent visits
– No Email or SMS passcode validation with this use case
Device Registration with One-Time-Password (OTP)

– Prompt user to register with email / mobile phone number / loyalty ID (+additional
details)
– Captive Portal provides the passcode for access via email / SMS (ID confirmation)
– User logs is with their ID and passcode from their device
– Same MAC will not require authentication on subsequent visits
– Must be repeated for each device
User Registration with Email or SMS notification

– Prompt user to register with email / mobile phone number / loyalty ID (+additional
details)
– Captive Portal provides the passcode for access via email / SMS (ID confirmation)
– Use logs is with their ID and passcode from any number of devices
– Must be repeated every time they visit (no MAC stored)
Social Media Authentication (Social Logon) option

– In addition to email/SMS auth user may opt to authenticate via social network profile
– Works with any of the above methods
– Initial release: Facebook, Google. More to follow
197
GUEST REGISTRATION
Analytics & Statistics
DB import-export supported
198
WLANS: CAPTIVE PORTALS
Captive Portal configuration is defined in

1 _______________________________________________________________________
Captive Portal Policies must be assigned to _______ capturing and redirecting users AND
2 to ________ hosting the Portal
Should the device hosting the Captive Portal have IP Address in the Hotspot VLAN?
3 _______________________________________________________________________
What access types are supported?

4 _______________________________________________________________________
Which Guest Registration modes are supported? How can user identify themselves?
5 _______________________________________________________________________
What are the best practices for Captive Portals?

6 _______________________________________________________________________
How much does the license cost?

7 _______________________________________________________________________
Any questions before we move on to the lab?

199
LAB: CAPTIVE PORTALS
Lab 06: Create and Test Hotspot WLAN

– Create Captive Portal Policy
– Assign to Hotspot WLAN and Portal
Device
– Test
200
CAPTIVE PORTALS
Pre-lab recap

 Explain and configure Hotspot-based WLANs with on-board Captive Portal
 Explain where can Captive Portal be hosted in WiNG5 architecture
 Explain supported types of Captive Portal pages
 Explain supported types of Captive Portal access modes
 Explain popular captive portal designs and features
Any interesting opinions?

Any questions before we move?
201
OTHER NOTABLE WLAN FEATURES
Device Fingerprinting
A technique to identify device type and OS

– All WLANS: based on a unique pattern in DHCP packets sent by the client
device
– Captive Portal WLANs: based on browser requests
• Allows browser type identification as well
Use it for
– User analytics, monitoring and troubleshooting
• Who are my visitors?
• How many tablets have I got on the network?
• Why is this device so slow?
• What is this weird client?
• How much YouTube traffic is generated by tablets/smartphones?
– Role-based access based on device type (incl BYOD)
• Company laptop = full access
• BYOD tablet = limited access (on the same WLAN under the same user name)
202
Syslog URL Logging
Monitor and log the web sites users access and forward the information to
an external Syslog server
– Log guest user activity for compliance
– No license is required
– Supported on all platforms
Option to strip Image URLs and Query Strings

– restrict the amount of URL data that is captured
Can be enabled on any Wireless LAN

– Requires the stateful packet inspection firewall to be enabled on the Access
Points
203
203
Dynamically enabling/disabling WLANs
Any WLAN can be temporarily disabled

on AP radio based on condition, such
as:
– AP un-adoption
– Critical Resource down (CRM)
– Ethernet Link loss (up1/ge1)
– MeshPoint Root loss (MeshConnex)
– Time-Based (local AP time)
Conditions are independent

– Wireless LAN will be disabled when
ANY condition is met
Use to prevent client associations to

– APs that lost connectivity
– Mesh nodes that lost their peers
– Office WLANs out of operations
hours
204
WLAN Tips and Tricks
dc#sh wireless wlan usage-mappings | policy-mappings
Quick overview of WLAN config -----------------------------------------------------------------------
TYPE NAME WLANS
– sh wireless wlan usage-mappings -----------------------------------------------------------------------
Profile lab-ap7131 t99-eap,t99-hspot,t99-psk1
– sh wireless wlan policy-mappings Profile lab-ap622 t99-eap,t99-hspot,t99-psk1
Profile lab-ap650 t99-eap,t99-hspot,t99-psk1
Which WLANs are where? AP Config 5C-0E-8B-58-8A-F4 t99-eap,t99-psk2
-----------------------------------------------------------------------
– sh wireless radio wlan-map dc#show wireless radio wlan-map
-----------------------------------------------------------------------
…also useful for documentation RADIO
MAPPED
AP-MAC AP-TYPE RF-MODE BSS WLAN
IDX
-----------------------------------------------------------------------
ap7131-t99:R1 5C-0E-8B-58-8A-F4 ap71xx 2.4GHz-wlan 1 t99-psk1*
2 t99-eap*
Captive portal user management: ap7131-t99:R2 5C-0E-8B-58-8A-F4 ap71xx 5GHz-wlan 1 t99-psk2*
3 t99-eap*
– no captive-portal client ap7131-t99:R3 5C-0E-8B-58-8A-F4 ap71xx sensor
ap650-t99:R1 5C-0E-8B-98-C4-94 ap650 sensor 1 t99-psk1*
<mac>/<captive-portal-name> 2 t99-eap*
3 t99-hspot*
ap650-t99:R2 5C-0E-8B-98-C4-94 ap650 5GHz-wlan 1 t99-psk2*
ap622-t99:R1 B4-C7-99-57-C4-1C ap622 2.4GHz-wlan 1 t99-psk1*
Useful reference and regulatory info ap622-t99:R2 B4-C7-99-57-C4-1C ap622
2
5GHz-wlan 1
t99-eap*
t99-psk2*
– service sh wireless reference […] -----------------------------------------------------------------------
– show wireless regulatory […]
205
WLANS AND WLAN FEATURES
Module recap

 Explain and configure three types of WLANs in WiNG5
− PSK-based WLANs
− 802.1X-based WLANs with external or onboard RADIUS server
− Hotspot-based WLANs with onboard Captive Portal
 Identify typical use cases, designs and options for above features
 Explain supported Captive Portal access modes
 Explain all relevant WiNG5 configuration elements and policies
Any lab experiences or opinions to share?

206
WLAN OPTIMIZATION
FEATURES
Optimize your WLAN for enhanced
performance
WLAN OPTIMIZATION FEATURES
Module Intro

 Explain and configure SMART RF
 Use SMART RF statistics to analyse WLAN state and potential issues
 Describe WLAN Load Balancing, QoS and Roaming Assist features
Plan:
What are your experiences with any AutoRF technology?

How many issues did you see because of incorrectly configured AutoRF?
208
SMART-RF
Introduction
Smart Off
Channel
Scanning
Application
Coverage
Aware
Hole
(Voice,
Detection
PSP)
Optimum Interferenc
TX Power SMART-RF e
Selection Avoidance
Optimum On-board
Channel WIPS
Selection Detector
Neighbor
Recovery
209
SMART-RF
Off-Channel Scanning and 24/7 Calibration
1 All AP’s periodically go off-

channel (off-channel-duration)
They scan a single channel

2 (channel list can be specified,
and further tweaked per RF
Domain)
3 Each channel can be scanned

multiple times (sample count)
The entire band is only scanned

4 at define intervals (extended-
frequency-scan)
Nearly non-disruptive: Voice-aware, PSP-aware, Mesh-aware

Always up to date: continuous background calibration 24/7
Integrated: integrates with WIPS and other WING5 features
210
SMART-RF
Neighbour Recovery
12db
15db 14db
17db
Rescue
Normal Normal 1 Neighbor radios monitor the Air
2 Neighbor radios sense when an

AP fails
3 Neighboring APs raise TX

power
4 Neighboring APs change from

10db 14db
17db Normal to Rescue
Normal Rescue
Normal
Protects against loss of coverage due to sudden AP failure

– AP’s with faulty antennas
– AP’s with bad Ethernet Connections
– AP’s that are not visible anymore due to obstructions, etc…
Fully controlled and transparent: multiple config parameters, stats, logs,
reports
211
SMART-RF
Coverage Hole Recovery
1 Coverage SNR threshold set to

20db
2 As the client moves away from the

AP, SNR will drop
3 If SNR drops below set threshold of

20db, the AP raises its TX power
SNR: 21db
4 If the client SNR is maintained, the
AP will reduce its TX power
5 The AP will repeat step 4 until the

SNR: 20db
15db
30db
client SNR is maintained
Protects against unavoidable temporary changes in coverage

– Site layout changes, refurbishments
– Inventory moving in the warehouse, etc
Fully controlled and transparent: multiple config parameters, stats, logs,
reports
Keep in mind: signal from client to AP is still the same – plan RF properly!
212
SMART-RF
How is SMART RF configured?
smart-rf-policy HQ
enable
group-by building
sensitivity custom
assignable-power 5GHz min 11
assignable-power 5GHz max 15
assignable-power 2.4GHz min 8
assignable-power 2.4GHz max 12
channel-list 5GHz 36,40,44,48
channel-width 2.4GHz 40MHz
interference-recovery client-threshold 5
!
smart-rf-policy Branch
enable
group-by floor
sensitivity custom
assignable-power 5GHz min 11
assignable-power 5GHz max 15
assignable-power 2.4GHz min 8
assignable-power 2.4GHz max 12
channel-list 5GHz 149,153,157,161
Three presets available for easy setup channel-width 2.4GHz 40MHz
interference-recovery client-threshold 5
!
– Can be fully customized and tuned
– Additional grouping by floor, building,
etc
213
LAB: SMART RF
Lab 07:
– Create and Assign SMART RF Policy
– We need to begin collecting the stats!

– Follow the instructor to learn SMART RF
Statistics
214
SMART-RF
How does Smart-RF affect performance?
VeriWave Test Setup Medium

Test  Packet Loss Low
Traffic Type  UDP High
Packet Size  1500 Frequency • 6 secs
Traffic  20,000 frames/s Frequency • 120 secs
•1 sec
Frequency
Channel  100+ (5Ghz)
Security  None
11n Config  AMPDU, SG, 20/40 Off
Channel
Off
• 50msec
Duration
Channel • 20msec
Off •150msec
Duration
Channel
Duration
Frequency – How often should the AP go off-channel (1-120 seconds)

Off-Channel-Duration – How long should the AP be off-channel (20-150 msecs)
215
SMART RF
Controlling the air
SMART RF
Check your understanding: what’s wrong with this AP?
217
SMART RF
RF Reports and visualizations
Visualize coverage, interference and

more
– As heard by APs
– Nearly real-time
– Simple setup (load the floor plans
and position APs)
– No license required
Limitations:
– Not as accurate as ADSP
– Does not take into account material
properties
– No historical/forensic support
Still reports real-world data!
Also displays non-RF stats:

– Client
population/associations/search
– Throughput, utilization, etc
218
EXERCISE: SMART RF
REPORT
Review a sample SMART RF report with

instructor
What issues can you see?
How do you think the site operates?
Why do you think this happened?
219
SMART-RF
Check your unerstanding
Which SMART RF preset, would you think, optimises performance with coverage and is
1 recommended by default? __________________________________________________
When running a throughput test, would you want to keep SMART RF on?
2 _______________________________________________________________________
Can SMART RF eliminate the need for proper RF design and site survey?
3 _______________________________________________________________________
Can SMART RF enhance network stability, performance and resilience, if RF Design

4 takes SMART RF into consideration? _________________________________________
For recovery mechanisms to work, what should be the max SMART RF radio power?
5 _______________________________________________________________________
Ensure different sites are in _________ RF Domains

6
220
WLAN OPTIMIZATION
Improving airtime and battery utilization
DHCP offer conversion Broadcast DHCP Offers & ACKs
– Converts broadcast DHCP offers

DHCP Server
and ACKs to unicasts, VLAN 10
1111.1111.1111
Ethernet (IP)
ffff.ffff.ffff.ffff
MAC: 1111.1111.1111
IP: 192.168.10.5/24
S D
– Reduces the number of Clients that

192.168.10.5 0.0.0.0
DHCP ACK
have to receive and process the

DHCP frame
– Only applicable when the DHCP S
VLAN 10
2222.2222.2222
D
Ethernet (IP)
ffff.ffff.ffff.ffff
server is on the same VLAN as the 0.0.0.0

DHCP
DHCP Discover
Request
0.0.0.0
Station 1
MAC: 2222.2222.2222
Wireless Client IP: (DHCP)
Disabled by default – test and enable Proxy ARP

Access Point Station 1
MAC: 1111.1111.1111 MAC: 2222.2222.2222
IP: 192.168.10.1/24 IP: 192.168.10.100/24
Proxy ARP
– Controllers and APs generate ARP VLAN 10
responses on behalf of Clients

– Reduces the need for Clients to
VLAN 10 VLAN 10
wake up and respond to ARP replies

Enabled by default – do not disable
Station 2 Station 3
MAC: 3333.3333.3333 MAC: 4444.4444.4444
IP: 192.168.10.101/24 IP: 192.168.10.102/24
DFG: 192.168.10.1 DFG: 192.168.10.1
221
WLAN OPTIMIZATION
QoS Support
WLAN QoS Policies Radio QoS Policies
Wireless Client classification: Queue Parameters (AIFSN, CW,

– WMM TXOP)
– Static QoS Admission Control Parameters:
SVP support (enable / disable) – Airtime fairness
WLAN up / down rate limits – Maximum Clients
Wireless Client up / down rate – Maximum Roamed Clients
limits – Reserved for Roam
Percentage
Per each WMM AC
Flexible mapping or Wireless to Wired QoS

Defaults suffice in 99% cases
Wireless QoS is a probability
222
WLAN OPTIMIZATION
Load Balancing
Better service to existing and future clients

– (that may connect or roam soon)
Load
– The number of users on an
AP/channel/frequency band and throughput
generated across the WLAN.
– Configured per WLAN and per AP
The following load-leveling algorithms can be used

simultaneously:
– Loads per AP in a neighbourhood
– Loads per channel per band in a
neighbourhood
– Loads between bands (2.4/5) in a
neighbourhood (Smart Band Control)
Configured per WLAN and per AP

Special UI to monitor the load balancer
Roaming Assist feature to solve the ‘sticky client’

problem
– Disconnect a client with RSSI below threshold
– Ensure client roams to the right AP
223
WLAN OPTIMIZATION
Roaming assist
Client Roaming is always a source of problems in WLANs

– Fully controlled by client (when to roam, how to roam, which AP)
– Algorithms largely unknown, depend on chipset, driver, firmware,
manufacturer, phase of moon, etc
– Bugs, issues, design flaws and changes between client FW versions
Sticky Client Problem

– The clients often do not roam when they should
– Designed for 1-AP home scenario
– Negatively impacts entire WLAN cell: low rates, retransmits, etc.
Roaming Assist
– APs monitor clients and force-roam them
– Flexible criteria and filters to adjust aggressiveness
– Puts WLAN Admin & WLAN Designer back in control
– Configured via roaming-assist-policy (per WLAN or per radio)
224
224
WLAN OPTIMIZATION FEATURES
Module recap

 Explain and configure SMART RF
 Use SMART RF statistics to analyse WLAN state and potential issues
 Describe WLAN Load Balancing, QoS and Roaming Assist features

225
MESH FEATURES
Absolutely wireless
MESH FEATURES
Module Intro

 List two mesh options available and explain which one should be used in
absolute majority of situations
 List MeshConnex features
 Explain key MeshConnex benefits
 Explain mesh licensing in WiNG5
Plan:
What are your experiences with any vendor’s mesh networks?

Do you do mesh at all? Will you possibly need to?
227
WING5 MESH
Overview
Single-Hop (Legacy) Mesh MeshConnex (MCX) Mesh
Easy to set up A little longer to set up

Supported by all APs Not supported by entry-level APs
Local & tunnelled VLANs Local & tunnelled VLANs
1-hop limitation No size limit
Advanced routing & RF
Only supported for legacy installs management algorithms
Do not use in new installs! Good for complex networks
228
MESHCONNEX MESH
Patented Mesh Technology that delivers…
Scalability and Flexibility

• Self-forming
• Each AP acts as a router/repeater
• Two-level routing allows scaling to 1000s of nodes
• Dynamic routing & link formation based on link quality metrics
Reliability and Adaptability
• Self-healing - every node can be a backup router/repeater
• Every access point makes the network stronger
• Dynamic routing restructures the network in case of failure or RF problems
• Provides automatic and survivable communication for data, voice, and video in any environment
High Performance
• Throughput-optimized connections
• Efficient routing with low overhead
• Low hop latency
• High-speed handoff
• Opportunistic Rate Link Adaptation
• Beamforming on selected APs
Integrated with WiNG5

• Supported by all but most basic APs
• With or without a controller, virtual controller
• Integrated with other WiNG features (Adoption, CRM, SMART RF, Dynamic Disable, etc)
229
MESHCONNEX MESH
How MCX works – Self-forming
Internet
AP7 AP6
Link Quality
AP1 AP4
Path Metric
AP2 AP3 AP8
230
MESHCONNEX MESH
How MCX works – Self-healing
Internet
AP7 AP6
AP1 AP4
AP2 AP3 AP8
231
MESHCONNEX MESH
Opportunistic Rate Link Adaptation (ORLA)
Determines data rates that will provide the best throughput.

Proactively probes other rates to determine if greater
throughput is available.
232
MESHCONNEX MESH
How hard is it to set up?
MCX is relatively simple to configure

– Define MeshConnex policy (AKA MeshPoint)
• Defines general Mesh parameters
– Assign to APs (Profile/Override)
• Allows fine-tuning mesh parameters (set up Root
node overrides, for example)
– Assign to AP radios
• Similar to a WLAN but dedicated for Mesh Backhaul
– Takes <2 min in the simplest case
Each MP is a separate L2 link, like Ethernet trunk

over wireless
– Traffic can be bridged locally or tunnelled over
MiNT
– L2 (2-level routing) or L3 forwarding options
– Great scalability
– Unlimited hops (each hop adds latency, of course)
233
MESHCONNEX MESH
How hard is it to manage?
Statistics  <rf-domain>  Mesh Point
234
MESH FEATURES
There are ___ mesh options available: ______-Hop MiNT mesh and _________ mesh
1
Which one you should forget about?

2
_______ mesh a lot more powerful and is quite ______ to configure

3
Does MCX provide scalability, reliability, self-healing and optimal performance in Virtual
4 Controller network? _______________________________________________________
Which license is required for MeshConnex?

5 _______________________________________________________________________
Can you run MCX on Dependent APs? If yes – any limitations?

6 _______________________________________________________________________
235
MESH FEATURES
Module recap

 List two mesh options available and explain which one should be used?
 List MeshConnex features?
 Explain key MeshConnex benefits?
 Explain mesh licensing in WiNG5?

236
PART 2 SUMMARY
 Wireless LANs
 Captive Portals
 WLAN Optimization Features
 Mesh
Was is useful?
Any final comments?

237
PART 3: ADVANCED
WING
WiNG Security Features
WAN Features
Efficient Management and Operations
Mass Management
WiNG Advanced Troubleshooting
238
SECURITY
FEATURES
Distributed Wireless Protection
SECURITY FEATURES
Module Intro

 What are the differences in wired vs wireless threat model?
 What are the most important WING5 security features and their use cases?
 Which of these features require a license, and which are free?
 What are the best practices for configuring security features?
 How can I see what my firewall and WIPS are doing?
Plan:
 Mini-lab
Do you have to deal with security configuration in your current

or future deployments?
240
SECURITY
Wireless threats – are they the same as wired?
2 Hotspot phishing
Hotspot Evil Twin

3 Non-compliant AP
LAN traffic bleeding into Security policy not
5 WLAN adhered to
3 Exploiting known
Protected infrastructure
segment vulnerabilities
Mobile user
INTERNET 4 Encryption hacks
Scouting
VLAN - wireless
Mobile users
WAN
2 Evil Twin
4 Denial of
VLAN - wired Service
6 Out of working hours

access
2 Ad-Hoc (IBSS) Networks
1 Rogue AP
1 Rogue station
LAN<->WLAN bridging
2 Accidental/malicious association
Bypassing enterprise security Public hotspot
241
SECURITY
WiNG5 Security Features
Stateful L2+ Distributed Firewall

• Distributed and mobility-aware
• Application Layer Gateways
• DNS integration
• Web content filtering
• Deep Packet Inspection / Application Visibility and Control
• Dynamic ACL Assignments (Role-Based Access)
IPS Features
• DoS Detection and Storm Controls
• MAC/IP/ARP/DHCP Spoofing Protection
• Enhanced on-board WIPS with Rogue Detection and Mitigation
• AirDefense WIPS Integration for total control
Other
• 802.1X AAA with RADIUS and LDAP support
• Traffic isolation via tunnelling and Segmentation (IPSec, L2TP, MiNT), ACLs
• Secure Device Access and Adoption
242
FIREWALL FEATURES
IP / MAC Conflict Detection
Inspect packets with IP / MAC bindings

– Prevent ARP spoofing attacks
– Mitigate attempts to steal IP addresses
– Prevent rogue DHCP servers
Example DHCP Snooping Table
-------------------------------------------------------------------------------
Snoop Binding <192.168.10.1, 00-12-83-93-B0-40, Vlan 10>
Valid bindings are learned by snooping DHCP Type router, Touched 3 seconds ago
-------------------------------------------------------------------------------
packets Snoop Binding <192.168.10.14, 00-15-70-81-7B-0D, Vlan 10>
Type switch-SVI, Touched 9 seconds ago
– Does not function with static IP addresses – -------------------------------------------------------------------------------
Snoop Binding <192.168.10.6, 00-E0-81-2F-DC-BC, Vlan 10>
must use DHCP Type dhcp-server, Touched 57 seconds ago
-------------------------------------------------------------------------------
Snoop Binding <192.168.10.101, 00-12-79-DE-38-40, Vlan 10>
Type dhcp-client, Touched 7175 seconds ago
router ip #1 - 192.168.10.1
Under some setups causes false positives dns ip #1 - 192.168.10.6
–
netmask = /24
VMs running on the client Lease Time = 691200 seconds
-------------------------------------------------------------------------------
– Loops Snoop Binding <192.168.10.102, 00-13-02-2E-78-82, Vlan 10>
Type dhcp-client, Touched 2229 seconds ago
– Multiple subnets on the same VLAN Mint ID: 70.e6.98.1c
router ip #1 - 192.168.10.1
– Secondary IP addresses dns ip #1 - 192.168.10.6
netmask = /24
– ICMP redirects, VRRP, etc… Lease Time = 691200 seconds
-------------------------------------------------------------------------------
When seeing confirmed false positives:

– no ip-mac conflict
– no ip-mac routing conflict
244
FIREWALL FEATURES
IP / MAC Conflict Detection Trusts
Each physical port and WLAN can be configured to trust or un-trust ARP
and DHCP packets and drop suspicious packets
– ARP Trusted / Un-trusted
• ARP inspection and spoofing protection off /on
– DHCP Trusted / Un-trusted
• Will allow / block DHCP offers and ACKs received
• Implies valid DHCP server is present/absent
This is in addition to firewall policy
– service pktcap on drop will show “DHCP request to untrusted
destination”
Element Default ARP Trust Level Default DHCP Trust Level
Physical Ports Un-trusted Trusted
WLANs Un-trusted Un-trusted
Tunnelled VLANs Un-trusted Un-trusted
245
STATEFUL PACKET INSPECTION
Overview
Stateful inspection for all IPv4 flows

– Switched (L2) or Routed (L3)
– On Controllers and APs
– Layer 2 inspection disabled by default
Stateless packet filtering for non IPv4 flows
– AppleTalk, IPX and IPv6
Inspects flows typically not visible to wired

firewalls :
– Wired to Wired, Wired to WLAN, WLAN to
WLAN
Application-Layer features for many protocols

– ALGs, DPI, DNS, HTTP, etc
Mobility-aware
– Maintains state of TCP, UDP and ICMP flows
as they traverse the Controllers or APs
– All flows are migrated as Wireless Clients
roam (with re-evaluation)
246
ACLs
ACL attachment point IP (in/out) MAC (in/out)

WLANs 1 1 1 1
Virtual IP Interfaces 1 1
Physical Ports 1 1
Clients (Role-Based Firewall) 2 2 2 2
Each ACL must contain one or more permit rules for traffic to be forwarded:
– Each rule is inspected in order of preference
– The first rule to match the flow is used
– Each ACL includes implicit “deny any any” rule at the end
• Empty ACL is equivalent to “allow any any”
248
Enhanced L3 Firewall GUI
Simple visualization and rule creation workflow

– Drag-and-drop rules to change sequence/priorities
• Re-sequencing also available via CLI
– Point and click to modify any field in the rule
– Point and click to disable individual rules
Search box to quickly locate rules
Note that not all columns are displayed by default!
249
249
DNS support
In many cases it is more convenient to have a hostname instead of IP address

– Dynamic IPs, cloud services (load-balanced, multiple IPs), etc
– Entering DNS name directly in ACL drastically reduces effort and makes ACL more readable
Real blocking still happens by IP
– Device builds ‘snoop table’ (DNSIP mapping)
– Mappings are learned dynamically and aged to ensure actuality
– Multiple interfaces are honoured (different NS on different interfaces)
– Multiple IPs per host are honoured
– Not supported: IPv6, usage for IpSEC/NAT
– Exact or partial matches are supported (‘contains’, ‘suffix’)
Additional content filtering options:
– OpenDNS integration
– Advanced web filtering (subscription-based) based on categories
250
Deep Packet Inspection (DPI) / Application Visibility and Control (AVC)
• Configurable and extensible

• Granular traffic engineering
• Granular application control
• Stats for 24hrs (more with nSight)
• Multiple deployment modes
251
FIREWALL FEATURES
Role-Based Firewall (Role-Based Access Control)
Role: Voice Role: Guests

 SSID (Exact) = Voice  SSID (Exact) = Guest
 Encryption (Exact) = CCMP  Encryption (Exact) = None
 Auth (Exact) = None  Auth (Exact) = None
 IP ACL (in) = Voice  Hotspot-Auth = Post-Login
 VLAN = 55  Group (Exact) = Guests
 IP ACL (in) = Guests
 VLAN = 10
Role: Sales Role: Engineering

 SSID (Exact) = Corp  SSID (Exact) = Corp
 Encryption (Exact) = CCMP  Encryption (Exact) = CCMP
 Auth (Exact) = EAP  Auth (Exact) = EAP
 LDAP Group (Exact) = Sales  LDAP Group (Exact) = Engineering
 IP ACL (in) = Sales  IP ACL (in) = Engineering
 VLAN = 20  VLAN = 20
Role: Contractors Role: Corp-BYOD

 SSID (Exact) = Guest  SSID (Exact) = Corp
 Encryption (Exact) = None  Encryption (Exact) = CCMP
 Auth (Exact) = None  Auth (Exact) = EAP
 Hotspot-Auth = Post-Login  LDAP Group = ( Sales | Engr | Admin)
 Group (Exact) = Contractors  OS = (Android | iOS)
 IP ACL (in) = Contractors  IP ACL (in) = BYOD
 VLAN = 15  VLAN = 15
254
WIRELESS IPS
Onboard “Enhanced” WIPS
Provides
– Smart Part Time Scanning
– Rogue AP Detection (wired and wireless)
– Mitigation and Rogue termination (wireless Device
only)
– Device Categorization (Neighbour, Interferer,
Rogue)
– 32 Signatures RF Domain
– Custom Signatures
– Logging and Reporting (incl PDF)
WIPS
Enabled via WIPS Policies: Policy
– RF Domains: groups of Access Points

– Overrides: individual Access Points
Customized
Events
Signatures
Does not require running on controller
– Runs on RF-Domain manager
– Supports multiple controller-managed RF
Domains
255
WIRELESS IPS
Logging and Reporting
WIPS events are automatically

saved to the system log on the
Controller
– Requires Message Logging
and Buffered Logging to be
enabled
WIPS Events can be optionally
forwarded to SNMP Server, Syslog
Server or Email address using
System Event Policies
PDF reports are also available for

AP Detection
256
WING5 WIPS COMPARISON
Onboard Enhanced WIPS

Air Defense WIPS
(Free)
Scanning Mechanisms Part-Time Scan Dedicated Radios
Threat Detection Engines 1 4

Events in Threat Library 32 300+
Rogue Detection Techniques 2 5
Over the air and
Rogue AP Containment Over the air
Over the wire
Zero-Day Attack Protection Firewall - if it is in the data path +
Comprehensive Vulnerability
+ +
Protection
Policy Compliance Monitoring +
Automated Mitigation + (limited) + (extensive, customized)
Reporting + (limited) + (extensive, customized)
Customizable Reports +
Forensic Data Capture +
Notification Types SNMP, Syslog, Email SNMP, Syslog, Email
Customizable Notifications Email, Syslog
Location Tracking +
Free (Integrated) $$ per sensor
257
FIREWALL AND IPS
How do I find what’s blocked?
service pktcap on drop
– Any drop reasons, including destination unreachable, DHCP trusts, CRC errors, etc
– Can direct packets to external FTP log file or Wireshark (discussed later)
more system:/proc/dataplane/drops
– Aggregated drop statistics
service pktcap on deny [acl-name <name>]
– Packets denied by specific ACL
ACL logging
– acl-logging (firewall policy) forward ACL drop messages to syslog
– ACL “log” action (individual ACL rule) – log interesting traffic
– Not shown in default Event History
– Tons of traffic generated – better use external syslog and disable when not used
DPI logging (Profile / Device)

– dpi logging [on | level …]
WIPS Denies and client blacklist

– show wireless wips client-blacklist
– service wireless wips clear-client-blacklist (all | MAC | …)
– show wireless wips event-history
258
FIREWALL
Is the firewall enabled or disabled by default? How do you check which features are
1 enabled by default? Do you want to disable firewall completely ever?
_______________________
Which of these features require a license: DPI/AVC ___ , WIPS ___ , RBAC ___ ,
2 DNS/OpenDNS filtering ___ , Web filtering ___ ?
Which ARP traffic is considered trusted by default?

3 _______________________________________________________________________
How can you automatically disassociate wireless clients that attempt port scans?
4 _______________________________________________________________________
Which rule is implicitly placed at the end of any MAC/IP ACL? What about empty ACL?
5 _______________________________________________________________________
What types of Rogue Detection and Termination are supported by the onboard WIPS?
6 _______________________________________________________________________
What would you want to do in your network before enabling Storm Controls?
7 _______________________________________________________________________

259
LAB: SECURITY
– Lab08: Configure firewall policy according

to best practices
260
SECURITY FEATURES
Module recap

 Explain the differences in wired vs wireless threat model?
 List and describe key WING5 security features and their use cases?
 Explain which of these features require a license, and which are free?
 Describe the best practices for configuring security features?
 List useful monitoring commands and logs for Firewall and WIPS?

261
WAN FEATURES
Connecting sites w/o third-party equipment
262
WAN FEATURES
Module Intro

 List at least four ways of providing WAN backhaul with WiNG5
 List at least five intelligent forwarding features supported by WiNG5
 List at least six WAN high availability features supported by WiNG5
 Explain automated VPN with Auto IPSec Secure feature
 Explain Critical Resource Monitoring feature
 Explain VRRP feature
Plan:
What are your experiences with WANs?

Do you think you might need it?
263
WAN
Backhaul Features
L3 over L3: IPsec VPN
– Encapsulates and forwards IPv4 traffic over an encrypted tunnel
– Flexible traffic selection via ACL Data Center
– Dead peer detection and failover (CRM support), NAT and NAT-T
support
– Widely supported by third-party routers, VPN gateways and
firewalls
– Complex to configure compared to L2TPv3
L2 over L3: L2TPv3
– Simpler to set up than IPsec, but less flexible
– Encapsulates and forwards layer 2 traffic over a encrypted or un-
encrypted tunnel
– Allow tunneling selected VLANs (can bridge or route traffic)
– Multiple establishment and failover options, CRM support
– Widely supported by third-party routers and concentrators
L2 over L3: L2 MiNT Links
– Allow tunneling selected VLANs (can bridge or route traffic)
– Can be easily set up in secure manner with Auto IPsec Secure
• Including through intermediate VPN gateway and NAT
– Failover supported via RF Domain Manager mechanism Remote Site
– A lot easier to set up and maintain that IPsec and L2TPv3, but
proprietary
PPPoE support with IPsec and NAT
264
264
WAN
Auto IPsec Secure – Automated VPN
Easy semi-automatic IPsec VPN with

minimal configuration effort:
– AP  Controller
– Optionally, through a 3rd-party VPN
gateway
– NAT-T is supported
Minimal setup effort
– Only need to set up PSK/certificate
– Everything else can be supplied via
DHCP option 191
– Configured via DHCP option 191 or pre-
staging
Limitations
– APs need to use the same Group ID
– Secures MiNT link only (still can tunnel
traffic over)
Sample DHCP Option 191:
pool1=<controller-hostname>,<controller-hostname>;ipsec-secure-group1=<vpn-gw-hostname>;level=2
265
265
WAN
Intelligent forwarding
Routing
– Static, RIPv2, OSPFv2, eBGPv4
– IPv4 and IPv6 support
Policy Based Routing
– Route traffic not just on next-hop,
but using the full power of ACLs
Split Tunnelling
– Selectively choose what goes into
tunnels based on ACL
– L2NAT – split tunnelling for L2 traffic
NAT
– Source/destination, static/dynamic
NAT and PAT.
– NAT for IPsec traffic
Rate limiting
– Physical links, Tunnelled VLANs,
Tunnels (L2TPv3)
266
WAN
High Availability options
Critical Resource Monitoring

– Monitor certain hosts for availability and alert other services
– WLANs, IPsec, L2TP, PBR, etc
Multiple DGWs with priority and failover
NAT Failover
– Multiple overloaded NAT interfaces
– Failover or static load balancing
VRRP
– Including forming groups with 3rd party routers and monitoring their uplink
via CRM
Tunnel Failover (L2TP, IPsec, MiNT)
3G Failover (for platforms with 3G radio support)
267
WAN FEATURES
List at least three backhaul features available:

1 _______________________________________________________________________
List at least three intelligent forwarding features available:

2 _______________________________________________________________________
List at least three high availability features available:

3 _______________________________________________________________________
What does Auto IPsec secure allow? Can it be deployed “out of the box”?
4 _______________________________________________________________________
Haw can you ensure that APs are not lost during adoption due to pushing new config that
5 erases their network settings? _______________________________________________
Do we support IPv6? Did you have any IPv6 deployment?

6 _______________________________________________________________________
At least how many possible WAN scenarios can be implemented using the options
7 above? _________________________________________________________________
269
WAN FEATURES
Module recap

 List at least four ways of providing WAN backhaul with WiNG5
 List at least five intelligent forwarding features supported by WiNG5
 List at least six WAN high availability features supported by WiNG5
 Explain automated VPN with Auto IPSec Secure feature
 Explain Critical Resource Monitoring feature
 Explain VRRP feature

270
EFFICIENT
MANAGEMENT AND
OPERATIONS
Tips & tricks
271
EFFICIENT MANAGEMENT AND OPERATIONS
Module Intro

 What are the best practices for firmware upgrade procedures in WiNG?
 How to perform firmware upgrades with minimal disruptions?
 How to perform upgrades efficiently with minimal effort?
 How can I use WiNG mass management tools to make my network scalable
while keeping my configs simple?
 What WiNG features allow reducing the human error in complex
deployments?
Plan:
 No recap, we want more to raise awareness.
What are your experiences managing devices?

Do you do this in your daily work?
272
FIRMWARE
MANAGEMENT
And device upgrades
273
FIRMWARE MANAGEMENT
Can you do it efficiently and safely?
Automatic
– Auto Install
• Fetched from external TFTP server
via DHCP option
• Rarely used
– Auto-upgrade during adoption
• Works for APs and Controllers
• Configured on adopting controller
• SC will fetch the FW from CC or
local cluster member if needed
– Disable in production environment?
Manual via controller distribution

– Upload image to Central Controller
– Select devices/sites to upgrade
– Run immediately or schedule
– CC pushes FW to SC(s) or RFDMs
– SC/RFDM pushes FW to site APs
274
FIRMWARE MANAGEMENT
Example – AP RFDM
1
Device Upgrade initiated for the
remote RF Domain using the CLI
or Web-UI
2
4
Firmware
Firmware for
for the
the AP
AP 6532s
6521s is
is
transferred
transferred to
to the
the elected
elected RF
RF
Domain
Domain Manager
Manager forfor the
the remote
remote
DC Cluster site
site
RF Domain RF Domain
3
5
6
7
The
The elected
If selected RF
electedthe
RFRFDomain
Domain
Domain Manager
Manager
(an AP 6532)
upgrades
Manager the upgrades
reboots all theitself
AP 6532s
6521s withinlast
Access the
Site Cluster Site Cluster site
Points
(by at
default
the site
10and
at aitself
time)last
RF Domain
Access Points Access Points Access Points

FIRMWARE MANAGEMENT
Example – Site Controller cluster
1
Device Upgrade initiated for the
remote RF Domain using the CLI
or Web-UI
DC Cluster
2
3
4
5
6
7
8
9
The
AfterRFDM
Once
The standby
Firmware
active upgrades
the active
for theand
downloads
and
successfully itself
the
active
RFS
Controller Standby
standby
the
Site
6000
upgrading
upgrades Site
Access
Site
the
Controller
Controllers
Point firmware
the Access
Access Pointsareare
are
Pointsback
from on-line,
the
automatically
transferred(by to the or
automatically
default the
10
Access
elected
at a time)
rebooted Points
Centralized
manually reset.
RF re-adopt
Controller.
Domain to thefor
The
The Manager
Access
active
Access
Points Site Controller.
Point
un-adopt.
the remote firmware is installed
site
on both Site Controllers
RF Domain RF Domain
Site Cluster Site Cluster
RF Domain
Access Points Access Points Access Points
276
FIRMWARE MANAGEMENT
Considerations
Recommended concurrent upgrades:
• Site Controller: <= 20
• RFDM AP: <= 10
• DC Controller: <= 128 cc#device-upgrade load-image ap6532
– Tune based on bandwidth http://172.16.20.99:8080/AP6532-5.5.0.0-055B.img
-------------------------------------------------
available CONTROLLER STATUS MESSAGE
-------------------------------------------------
dc Success Successfully initiated
“Lean” Controller images -------------------------------------------------
– Controller image w/o bundled AP cc#show device-upgrade load-image-status

Download of ap6532 firmware file is 58% complete
images
– 30M vs 100M cc#show device-upgrade versions
-------------------------------------------------
– For older systems with little flash CONTROLLER DEVICE-TYPE VERSION
-------------------------------------------------
– Will you use it in single site dc ap650 5.5.0.0-055B
deployment? ___ ...
dc ap6532 5.5.0.0-055B
dc ap71xx none
dc rfs4000 none
Images stored in flash:/upgrade/ -------------------------------------------------
– Delete unnecessary ones cc#dir flash:/upgrade/
– Site Controller can always get Directory of flash:/upgrade/.
-rw- 21541911 simba.img
image from another cluster
member or CC cc#sh run profile rfs4000 rfs-cc inc | inc persis
device-upgrade persist-images
– Cached by default
FIRMWARE MANAGEMENT
How to initiate?
device-upgrade <scope> <options>
– Scope: [RF Domain] [Model] [Device]
– device-upgrade all
– device-upgrade rf-domain site01 all
– device-upgrade rf-domain site01 ap71xx ap01-1 ap01-2
– device-upgrade rfs4000 all
– device-upgrade ap01-1
– Options (can be combined, maintain order)

– upgrade-time, reboot-time Schedule upgrade/reboot date/time
– no-reboot No reboot after upgrade (reboot manually)
– staggered-reboot Reboot one at a time (minimize network impact)
– no-via-rf-domain Do not proxy through RFDM
Example: device-upgrade rf-domain site01 all upgrade-time 23:00

reboot-time 07/07/2017 staggered-reboot
View status and history: show device-upgrade (status | history)
GUI: Operations Screen – all the same logic

MASS MANAGEMENT
Implementing scalable deployments
279
MASS MANAGEMENT/DEPLOYMENT
How do you deal with that?
Retail Scenario: 500 stores
– No site controller Store 1
192.168.100.0/22
– Each has own IP subnet, has to have 2 ACLs VLAN 10
–
192.168.103.0/24
Each has own on-site AAA proxies
– PSK, SSID differ per store Permit
– L2TP tunnels for local VLANs SIP & RTP
– Some stores historically have different VLAN IDs Permit

SSH & HTTPS
Voice GW
192.168.100.1/24
How many config objects will you need? Store Server

192.168.100.10/24
– Dedicated RF Domain
– 2 dedicated ACLs,
– Dedicated WLAN
– Dedicated AAA policy Store 2
– Dedicated L2TP tunnel config 192.168.104.0/22
– Dedicated profile to assign ACLs and WLAN VLAN 10

192.168.107.0/24
– 7 objects per each new store + extra rule in auto-provisioning Permit

SIP & RTP
policy
– How many for 500 ? Permit
SSH & HTTPS
Voice GW
192.168.104.1/24
…and then they decide to unify PSKs Store Server

192.168.104.10/24
…and then deploy another WLAN in all stores and edit ACLs
Overview
WiNG5 Delivers
– Configuration model
• Profile/override system itself
• Auto Provisioning wildcards
• Network object aliases: host IP/names, subnets, VLANs, flows (protocol/port),
etc…
• RF Domain overrides
– Operations
• CLI shortcuts
• Automation of file management operations
– Device upgrades / reboots, captive portal pages upload, etc
• Remote /distributed command execution (show … on …), debugging and packet
capture
281
ADOPTION
Auto-provisioning wildcards
Static provisioning – assign static RF-Domain and/or Profile

• One rule in the policy per assignment
– 1500 sites (1500 different RF-Domains) = 1500 rules
Wildcard provisioning – assign by a match criteria
– Select RF-Domain/Profile with a name matching a substring
– Example:
• Line from the Auto-Provisioning policy
– adopt ap7xxx precedence 10 rf-domain s$FQDN[11:13]
• AP FQDN: AP01-STORE101.corp.com
• Result: assign rf-domain ‘s101’
– 1500 sites = 1 rule
Less is More:
– Shorter configuration, quicker deployments, improved scalability
ADOPTION
Match tags available for wildcards (most popular ones)
TAG Description
$FQDN Fully Qualified Domain Name substring or just the domain part
$DNS-SUFFIX ap001.site01.corp.com, *.site01.corp.com
$DHCP DHCP option 191 substring if ‘rf-domain’ tag is present
pool1=10.0.1.1;rf-domain=site001; level=2
$SN, $MODEL Exact Serial Number / Model match
$AUTO-RF-DOMAN RF Domain of the adopter
Syntax: $TAG[start character:end character]. Can you guess what these do?
test-$FQDN[4:6], test-$FQDN
test-$FQDN[4:], test-$FQDN[:4], test$-FQDN[:4]
st$DHCP-$FQDN[4:6]remote
All matched as case-insensitive strings (in addition to other criteria!)

More in the Auto-Provisioning HOWTO
FIREWALL
Firewall Objects/Aliases
Use friendly names (macros/aliases) in ACLs instead of numbers

– Instead of
• permit udp/1812 192.168.0.1/24  172.16.1.111
• permit udp/1812 192.168.0.1/24  172.16.1.112
– Use
• permit $AAA-Services $Guest-WLAN  $AAA-Servers
• $AAA-Services could include multiple flows (for complex applications)
Use different values for the same Alias for different sites
– On site1: ‘AAA-Servers’ = 172.16.1.111, 172.16.1.112’
– On site2: ‘AAA-Servers’ = 172.16.2.111, 172.16.2.112’
– Just put overrides in RF-Domains
Defines and overrides:

– Global  Profile  RF Domain  Device
Why/when use it?
284
FIREWALL ALIASES
Example: without aliases
IP ACL for Guest User Traffic that permits DHCP, DNS, HTTP, HTTPS and
IPsec traffic.
Precedence Action Source Destination Protocol Mark Log Enabled
UDP
10 Permit Any Any No No Yes
Src:67 Dst:68
UDP
11 Permit 192.168.25.0/24 208.67.222.222 No No Yes
Dst: 53
UDP
12 Permit 192.168.25.0/24 208.67.220.220 No No Yes
Dst: 53
TCP
20 Permit 192.168.25.0/24 Any No No Yes
Dst: 80
TCP
Dst: 443
30 Permit 192.168.25.0/24 Any ESP No No Yes
UDP
Dst: 500
UDP
Dst: 4500
100 Deny 192.168.25.0/24 Any IP No Yes Yes
285
285
FIREWALL ALIASES
Example: with aliases
Same IP ACL using objects:
Precedence Action Source Destination Protocol Mark Log Enabled
10 Permit Any Any $DHCP No No Yes
UDP
11 Permit $GUEST-NET $DNS-SERVERS No No Yes
Dst: 53
20 Permit $GUEST-NET Any $WEB No No Yes
30 Permit $GUEST-NET Any $IPSEC No No Yes
100 Deny $GUEST-NET Any IP No Yes Yes
Network Alias: $GUEST-NET Network Alias: $DNS-SERVERS Services Alias: $WEB Services Alias: $IPSEC
Network: 192.168.25.0/24 Host: 208.67.222.222 Idx Protocol Src Port Dst Port Idx Protocol Src Port Dst Port
Host: 208.67.220.220
1 TCP ANY 80 1 ESP ANY ANY
2 TCP ANY 443 2 UDP ANY 500
3 UDP ANY 4500

Services Alias: $DHCP
Idx Protocol Src Port Dst Port
1 UDP 67 68
286
286
VLAN ALIASES
Overview
In other cases: $GUEST-VLAN in

– WLAN static VLAN assignment
– WLAN RADIUS VLAN assignment (VSA
strings),
– L2TP /IPSec tunnels
– Trunk allowed VLANs
– DHCP Server Policies
– …and pretty much everywhere else
• Check GUI tooltips or CLI hints
In ACLs (in addition)
– from-vlan xx instead of IP subnet
Supports locally bridged or tunneled traffic

RF DOMAIN OVERRIDES
Overview
Override common objects on a per-site

basis
– WLANs Firewall
Objects
• SSID
SMART RF VLAN IDs
• WPA/WPA2 PSK or WEP key
• VLAN – VLAN mapping
• Status (enabled / shutdown)
– Firewall Objects WLAN RF WLAN
• Hosts, Subnets, Source VLANs, WPA/WP
A2 PSK Domain Shutdown
Protocols Ports
– VLAN IDs
• WLAN Tunnelling
• Bridge VLAN WLAN
WEP Key
WLAN
SSID
• L2TPv3 VLANs
WLAN
– SMART RF VLAN(s)
• Channel list
Minimize the amount of config objects
Simplify change management
288
The end result
For entire deployment Store 5

RF Domain: STORE5
192.168.116.0/22
– One ‘template’ WLAN Overrides
VLAN 10
192.168.119.0/24
– 2 ACLs’ with aliases Profile: STORES-AP6532
IP-ACL: STORES-WLAN-IN
– One AAA policy with server aliases WLAN: STORES-WLAN

Permit
SIP & RTP
– One L2TP tunnel with VLAN alias Permit

SSH & HTTPS
Voice GW
192.168.116.1/24
– One store ‘template’ profile

Store Server
– Auto-provisioning policy with wildcards 192.168.116.10/24
For each store

• One RF Domain with overrides and aliases
Store 6
RF Domain: STORE6
Total: 192.168.120.0/22
Overrides
VLAN 10
– 13 objects for 6 stores 192.168.123.0/24

Profile: STORES-AP6532
– How many for 500 stores? ____

IP-ACL: STORES-WLAN-IN
Permit
WLAN: STORES-WLAN SIP & RTP
– Easy to deploy and manage Permit

SSH & HTTPS
Voice GW
192.168.120.1/24
Store Server
192.168.120.10/24
289
EFFICIENT MANAGEMENT AND OPERATIONS
Module recap

 Explain the best practices for firmware upgrade procedures in WiNG?
 Perform firmware upgrades with minimal disruptions?
 Perform upgrades efficiently with minimal effort?
 Explain how to use WiNG mass management tools to make my network
scalable while keeping my configs simple?
 List WiNG features that allow reducing the human error in complex
deployments?

290
WING5
TROUBLESHOOTING
TOOLKIT
How To Make It Work Again
WING5 TROUBLESHOOTING TOOLKIT
Module Intro

 List and explain key rules of troubleshooting
 List and explain WiNG5 troubleshooting features
 List key troubleshooting commands
 Explain and use Remote Debugging functionality
 Explain and use Packet Capture functionality
 Explain the challenges and approaches to performance troubleshooting
 Troubleshoot configuration issues in your lab setup
Plan:
What are your experiences performing this on WiNG5/4 or other vendors’
devices?
How will knowing this help you in your daily work?
292
TROUBLESHOOTING
What can go wrong
Users Medium (RF) Infrastructure Back-end

• Business goals • Physical (WLAN) • L2/L3 aspects
• Client Environment • Traffic • Network
applications • RF aspects management Services
• Client devices • Medium access (L2/L3) aspects • Applications
• User • Business goals
environment
293
TROUBLESHOOTING
Top rules of troubleshooting
How is it Where
How to fix
supposed did it go
it?
to be? wrong?
Assume Trust
nothing no one
Pay What is
attention normal?
294
LOGGING AND DEBUGGING
Logging setup
Besides the show event-history, proper logging can be configured

– Log level (Critical  …  Debug)
– Where to send log messages (log file, CLI console, remote syslog host)
– AP logs are aggregated at Controller by default
– Assigned via Profiles and Overrides
Local log files are rotated (wrapped) based on size
– Consider sending logs to remote syslog server
295
LOGGING AND DEBUGGING
WING5 Debugging Capabilities (only important ones)
Category Description and Subcategories
aaa Authentication, authorization, and accounting (RADIUS, etc)
adv-wips Advanced WIPS
ap AP (Adoption, Connect/Disconnect/Reset, Upgrade, etc)
captive-portal Captive Portal (Authentication, Clients, Sessions, State, etc)
certmgr Certificates Manager (Certificate Installed/Failed/Removed/etc)
cfgd Configuration Daemon (lots of subcategories)
cluster Clustering Module
crm Critical Resource Monitoring
dhcpsvr DHCP Server (Status, Interfaces, Leases, Relay)
diag Hardware Diagnostics
dot11 802.11 MAC Level events (Client Association/Disassociation, EAP, MAC, Kerberos, Voice, WPA, etc)
filemgmt File Management (Upload/Download/Copy/etc)
fwu Firmware Update
licmgr License Manager (License Installed, Removed, Invalid)
mesh Mesh (Links status, etc)
nsm Network Services Manager (Interface L2 and L3 status changes)
pm Process Monitor
radconf RADIUS Server Configuration and Status
radio Radio Modules Status and DFS
smrt SMART RF Related
system OS Status (Login, UI, Clock, etc)
296
ADVANCED DEBUGGING
Remote Debugging – Overview
Sophisticated Remote Debugging facility

– Capture specific wireless debugging events
– Enable debugging on one or more remote WiNG5 devices or RF Domains
– Centrally view the wireless debugging events in real-time
Full visibility into remote clients

– As they associate, authenticate, re-authenticate and roam throughout the
remote site
Eliminates the need for:

– Enabling debugging on multiple individual devices
– Forwarding the data to syslog
– Sorting and arranging the data chronologically
– Sifting through multiple debug log entries
297
ADVANCED DEBUGGING
Remote Debugging – CLI Command Syntax
Can be enabled on
– one or more WiNG5 hosts

remote-debug wireless hosts <host1> <host2> .. [Presentation]
[Clients] [Max-Events] [Duration] [Events]
– all WiNG5 devices within a specified RF Domain:

remote-debug wireless rf-domain <rf-domain-name> [Presentation]
298
ADVANCED DEBUGGING
Remote Debugging – Presentation
Console (default):
– Real-time (as soon as each filtered event is captured):
[AP03] 14:25:53.322: mgmt:rx auth-req from E0-F8-47-0F-0E-14 on radio 0

[AP03] 14:25:53.322: mgmt:tx auth-rsp to E0-F8-47-0F-0E-14 on radio 0. status: success
[AP03] 14:25:53.325: mgmt:rx association-req from E0-F8-47-0F-0E-14 on radio AP03:R1
[AP03] 14:25:53.325: mgmt:tx association-rsp success to E0-F8-47-0F-0E-14 on wlan (TEST)
Syslog Server (use for aggregation and archiving):

– Real-time (as events are generated):
– remote-debug wireless [Scope] write syslog <syslog-ip-addr>
FTP/TFTP (use for aggregation and archiving):

– Non real-time (buffered):
– remote-debug wireless [Scope] write
ftp://<user:password>@<hostname|IP>/<path/filename> [Clients]
[Max-Events] [Duration] [Events]
299
ADVANCED DEBUGGING
Remote Debugging – Presentation / Syslog Server Cont.
300
300
ADVANCED DEBUGGING
Remote Debugging – Clients and duration
Debug events from individual or groups of remote devices

– Up to 5 specific clients or all wireless clients within the defined scope
– Use all only when capturing a limited subset of events or the number of
hosts at the remote site is small
– remote-debug wireless [Scope] [Presentation] clients (<AA-BB-

CC-DD-EE-FF> <MAC2> … | all] [Max events] [Duration] [Events]
Limit by number of events, duration in seconds or both

– remote-debug wireless [Scope] [Presentation] [Clients] [max-
events: 1 – 10000] [duration: 1-86400] [Events]
– Default: up to 60 events within a 50 second interval
301
301
ADVANCED DEBUGGING
Remote Debugging – Events
A subset of local debug events

– All events are forwarded to the Controller that initialed the session
Example:
– Administrator troubleshooting EAP authentication issue for a wireless client:
remote-debug wireless rf-domain site02 clients <MAC> events
eap radius wpa-wpa2
– Full remote visibility into to authentication and key exchange!
all All debug messages
eap EAP debug messages
management 802.11 management debug messages
migration Flow migration debug messages (firewall)
radius RADIUS debug messages
system System Internal debug messages
wpa-wpa2 WPA / WPA2 debug messages
302
302
ADVANCED DEBUGGING
Remote Debugging – Sessions
Multiple sessions can be run on the same system (RFS/NX)

– Useful when multiple administrators are working on the system (global
admins, site admins, etc)
– But only one Remote Debugging session per CLI/GUI session
• No new sessions until the number the events/duration thresholds are hit!
• Active session can be stopped by using CTRL+C
– A name can be specified for each session
• View active sessions by using the show remote-debug command
• Terminate existing sessions with remote-debug end-session <name | user | all
>
Filtering is strongly recommended to reduce the event scope, otherwise

– The WAN or centralized console can be quickly saturated
– The CPU performance of WiNG5 devices can also be impacted
303
303
ADVANCED PACKET CAPTURE
Overview
Sophisticated integrated packet capture facility on both Controllers and APs

– Capture wired and wireless traffic in real-time
– Local, remote and distributed captures
– Wireless Packets can be captured encrypted or unencrypted
– Captured flow can be
• Streamed to the console (incl centralized console)
• Saved to a file (local or remote using FTP)
• Redirected to an external packet sniffer over IP using TZSP
– Similar syntax to debugging commands:

• host# service pktcap [Scope] [Presentation] [Capture Points]
[Count] [Filters]
• host# remote-debug live-pktcap [Scope] [Presentation] [Capture
Points] [Count] [Filters]
304
Remote Packet Captures
Remote centralized packet captures similar to Remote Debugging

– host# remote-debug live-pktcap [Scope] [Presentation]
[Capture Points] [Count] [Filters]
– Additional [Presentation] option: TZSP

• Stream captured packets to a remote packet analyzer (ex. WireShark)
• Provides additional metadata (packet count, hostnames, capture points)
– All remote-debug session management considerations apply
No longer need to deploy multiple standalone sniffers to remotely

troubleshoot issues at remote sites!
305
Capture Points (most important ones)
Multiple capture points and direction (in/out) can be specified in the same session:
Ex: capture on GE1, wireless, bridge and drop to see how the packets flow.
interface Packets transmitted / received over a physical interface, port channel, VLAN, etc
bridge Packets translated through the Ethernet bridge: LAN  WLAN, WLAN  WLAN, LAN  LAN
ext-vlan Packets coming in/out tunelled VLANs
router Packets routed between Virtual IP Interfaces.
Packets going in/out of IPsec VPN tunnel (captured by IPsec ACL)

vpn
Presented as unencrypted Ethernet frames.
Packets transmitted / received over Wireless LANs. (LAN  WLAN, WLAN  WLAN).
wireless
Presented as unencrypted Ethernet II frames.
radio Raw 802.11 frames transmitted / received over 802.11 radio. May be encrypted.
deny Packets denied by IP or MAC ACL (can specify ACL name)
drop Packets dropped by the device, with drop reason: blocked by firewall, no route to host, etc.
306
306
Filters
Flexible filtering support to capture L2-L4 traffic

– Allows administrators to restrict the scope of packets
– Useful for local & remote captures when streaming to console
– Not so useful for local captures into a PCAP file
• Better capture all and apply filters later in packet analyzer
– Strongly recommended for remote captures to limit the scope
• Same logic applies as for Remote Debugging
– Multiple filters can be combined using a logical AND or OR
By default without any filters applied the first 50 packets from the capture
point will be matched!
307
307
WING5 Capture Filters (only important ones)
Category Description and Subcategories

arp / cdp / icmp / igmp / lldp / stp Match ARP / CDP / ICMP / IGMP / LLDP / STP Packets
capwap Match CAPWAP Packets: (ctrl, data)
dot11 Match 802.11 Packets: (addr, beacon, bssid, ctl, data, mgmt, probe, type)
dropreason Match Packet Drop Reason (0 – 65535)
dst / src Match IPv4 Destination / Source (net, port)
ether Match Ethernet Frames (broadcast, dst, host, multicast, proto, src)
host / net Match IPv4 Address / Subnet
ip Match IPv4 Packets (multicast, proto)
ipv6 Match IPv6 Packets
l2 / l3 /l4 Match L2/L3/L4 Header (u8, u16, u32)
mint Match MINT Packets (dst, host, port, proto, src)
port Match TCP or UDP Port (0 – 65535)
priority Match 802.1p Priority (0 – 7)
radio Match Radio (1 – 3)
tcp Match TCP Packets (ack, fin, rst, syn)
udp Match UDP Packets
vlan Match VLAN (1 – 4095)
wlan Match Wireless LAN (1 – 256)
308
Sniffer Redirect
Each radio on Dependent or Independent AP can be configured to redirect packets it

sees in the air (on a specific channel) to a remote IP using the TaZman Sniffer Protocol
(TZSP)
– Such as Wireshark
– All packets on the channel are forwarded as received by the radio
– When enabled the Access Point radio cannot support Wireless Client traffic
– Access Point must have an IP Address assigned
TZSP
Access Point Radio Host with IP Address 172.16.1.100
309
TROUBLESHOOTING
GUI Tools
Remote Debug Console Packet Capture
Context Menu Tools:
310
TROUBLESHOOTING
Crash information
Sometimes, devices (or particular services) crash

– Crash file is generated in flash:/crashinfo/
– Device displays asterisk (*) at it’s CLI prompt:
• VX-DC1*>
– Device has an asterisk in front of it’s hostname (CLI)
– Device has yellow box in GUI (Diagnostics tab only)
Asterisks/boxes stay until crash files are deleted

– Better send them to our tech support (with tech dump)
DC1# show wireless ap on STORE1

======================================================================================================
AP-NAME AP-LOCATION RF-DOMAIN AP-MAC #RADIOS MODE #CLIENT IP
------------------------------------------------------------------------------------------------------
* STORE1-AP1 City STORE1 5C-0E-8B-A4-48-80 2 W-W 0 192.168.21.119
STORE1-AP2 City STORE1 5C-0E-8B-A4-4B-48 2 W-W 0 192.168.21.120
* STORE1-AP3 City STORE1 5C-0E-8B-A4-4C-3C 2 W-W 0 192.168.21.118
======================================================================================================
311
311
TROUBLESHOOTING
When nothing helps
Refer to Zebra tech support

– http://supportcentral.symbol.com/ for
contacts
– A valid support contract must be in place
Be ready to generate a Tech Support dump

– CLI: service copy tech-support
<USB/FTP/TFTP/SFTP>
– GUI: Copy Tech Support Dump
– Will not allow to save locally!
– Mail the file to the support team
312
TROUBLESHOOTING
What is the key challenge of performance troubleshooting?
Baseline: Define the performance and configuration profiles

1
Alert: Define alarms, reports and automated actions

2
Investigate & Mitigate: Use specialized tools to investigate, analyse and ultimately fix
3 the problem
313
TROUBLESHOOTING
ADSP / nSight Toolset
Centralized WLAN Troubleshooting

End-user Feedback Performance Alarms & Reports
HISTORICAL REAL-TIME PROACTIVE

TROUBLESHOOTING TROUBLESHOOTING TROUBLE
TOOLS TOOLS PREVENTION
Detailed Forensics LiveView AP Testing
Scope Forensics Connectivity Troubleshooting Policy Compliance
Alarm Forensics AP Testing Performance Policy
Forensic RF Spectrum Analysis
Infrastructure Forensics LiveRF
PAST PRESENT FUTURE
nSight demo time!
314
Debugging and Packet capture can be local, _____________or ________________

1
The results can be sent to console, ________________, _____________ (debug) or

2 _________ (pktcap)
Can you capture dropped packets? When would you do it?

3 _______________________________________________________________________
When would you use AP as a sniffer instead of packet capture?

4 _______________________________________________________________________
What is the challenge with troubleshooting performance issues? Which tools can you
5 use? __________________________________________________________________
Name the key guiding principles of troubleshooting.

6 _______________________________________________________________________
How do you generate a Tech Dump? When would you do it?

7 _______________________________________________________________________
315
Module recap

 List and explain key rules of troubleshooting
 List and explain WiNG5 troubleshooting features
 List key troubleshooting commands
 Explain and use Remote Debugging functionality
 Explain and use Packet Capture functionality
 Explain the challenges and approaches to performance troubleshooting
 Troubleshoot configuration issues in your lab setup
 Generate a tech support dump

317
PART 2 SUMMARY
 WiNG Security Features
 WAN Features
 Efficient Management and Operations
 Mass Management
 WiNG Advanced Troubleshooting
Was is useful?
Any final comments?

318
…ONE MORE THING
Is good wireless gear enough for good wireless?
Is bad wireless gear to blame for bad wireless?
319
WLAN DESIGN CONSIDERATIONS
Objectives and Plan
What are your experiences designing WLANs?

What are your experiences troubleshooting someone else’s designs?
Here’s what we will discuss

 What are the key approaches to WLAN design?
 What is the common approach to capacity and RF design?
 What are the common pitfalls?
 What is the one thing you should remember?
Plan
 Discuss
 Extended discussion if we have more time
 Things to reflect upon
 Wrap up
320
WLAN DESIGN
What is the goal of the design process?
Come up with a solution that…
Meets the requirements

…or reasonably exceeds them
What are the typical WLAN requirements? Can you list a few?
 ____________________________
 ____________________________
 ____________________________
 ____________________________
 ____________________________
 ____________________________
321
WLAN DESIGN
Key choice: coverage or capacity?
Coverage Capacity
Coverage is the goal Performance is the goal

– AKA “Design for Range” – AKA “Design for Rates”
– Lower rates, max coverage – Just rates is not enough
Choose for applications that are Choose for applications that
– Require SLA
– low-bandwidth
– May grow
– low-client-density – Active roaming environments
– Non-real-time (async) (client number can fluctuate)
– No prospects for growth Examples:
– Client capabilities are well known – RTLS
Examples: – VoWLAN / Video
– Telnet in a warehouse/retail – Online gaming
– Outdoor yard management Cons
– Requires more APs
Cons:
– Requires precise understanding
– Congested of environment
– Upgrading means repositioning – Requires precise L1 and L2
some or all of APs planning
322
WLAN DESIGN
Typical WLAN design approach – can you do it?
Calculate Align cells

Calculate throughput
number of into coverage
per area
cells required plan
324
WLAN DESIGN
How to calculate the number of cells required?
Consider
– How many AP8132 (802.11n, 3x3:3, dual-radio) are needed to support
– 100 clients each requiring 2Mbps (video streaming)
Easy answer
– Calculate AP capacity, divide by client bandwidth requirements
– AP8132: 3 Spatial steams = 450Mbps per radio = 900 Mbps per AP
– 900Mbps / 2Mbps = 450 clients per AP ==> 1 AP is more than enough
– Does it seem real?

• So, for VOIP (0.25Mbps), one AP will support 3600 clients on two radios?
Correct answer
– …is a question
– …that requires a lot of understanding
325
WLAN DESIGN
How is L2 affected by L1?
RF / Protocol Coverage Plan

– Hub Wrong shape = signal leaks =
– Unstable medium signal, where not required
– Interference (adjacent and
– No guaranteed baseline neighbour APs and clients)
– QoS is a probability – Congestions (collision domain
too big)
– No upstream control, QoS
– Security issues (signal bleeding
priorities are not enough where it should not)
– No such thing as multicast
Wrong size
Users – Too big – see “Wrong shape”
– Too small  low speeds/lack of
– Moving / rate shifting coverage/problems with roaming
– Roaming
– Sleeping Materials have different properties in
different frequency bands – will
– Population fluctuates affect cell shape and size
Key WLAN/cell resource? – Need to have separate plans for
2.4GHz and 5GHz
______________________
326
WLAN DESIGN
How to get good signal?
Not just AP placement + power + antenna
Required coverage will be different for:
Different Different data Different Different Forward and

frequencies rates clients environments reverse link
Different
FSPL is
SNR and WLAN
different, Multipath,
minimum Rx adapter/antenn Power
materials fading,
Sensitivity a design = asymmetry
behave interference
requirements different Rx
differently
Sensitivity
327
Adjusted WLAN design approach – can you do it?
Clearly define MAC Proper

RF Design
all requirements Design installation
340
WLAN DESIGN
One thing to remember
There is
MORE
than
meets the 342
Example things to reflect upon. Can you answer these questions?
– How many times is 20dBm signal stronger than 10dBm signal?
– You have an isotropic radiator. You measure RSSI at distances of 5m, 10m, 50m and 100m
from the source. How is signal loss (in dB) at a segment of 5m to 10m related to loss on a
segment from 50m to 100m?
– What happens when you mount an AP on a metallic surface?
– Customer is reporting RSSI at the client at +10dBm What do you think of this?
– You are doing a site survey in the warehouse, where the signal is consistently > -30dBm
and there are at least 14 APs seen from any point of the building. The heatmap is solid
green, but the network is slow and unstable. Why?
– What is the key difference is channel planning between DSSS and OFDM channels?
– Why would you want to hang an antenna upside down?
– What is the minimal recommended omni antenna separation from pillars, walls and
columns? Can you calculate/estimate it?
– Describe the difference in antenna patterns of ceiling-mount vs wall-mount patch antenna.
– Describe precisely the boundaries of a collision domain in WLAN. Why is that important?
– Describe precisely the boundaries of a broadcast domain in WLAN. Why is that important?
– How is WLAN threat model different from LAN threat model? How can traditional LAN
security tools protect from WLAN-specific threats?
– What happens to multicast in 802.11 networks? How does this affect video and audio
broadcasting over WLAN?
– Why is there so much special attention to Bonjour protocol when using WLANs?
343
WRAP UP
The End is Near…
351
WRAP UP
Check your learning
 Explain all key WING5 characteristics without using the documentation
 Explain how all core WiNG5 features work using the student guide
 Deploy all standard configurations covered in course using documentation
 90%+ of what is typically encountered in the field
 Configure other WiNG5 features using WiNG HOW-TOs
 Describe advanced WiNG5 features using the study guide
 Explain, follow and deploy WING5 best practices and reference designs
 Explain the key WLAN design challenges and caveats
 Troubleshoot any configuration you have built using available aids

• Were expectations / goals for this session met?
• Was it useful?
• Will it help you in your work? How?
• Was it fun?
352
WRAP UP
Key information sources
Partner Central Zebra Knowledge

Support Central
Center
Partner Central: http://partnercentral.zebra.com

Zebra Knowledge Center: http://learning.zebra.com
Support Central: http://support.symbol.com
Also: LinkedIn communities, YouTube channels

353
WRAP UP
Key information sources
Spec sheets, references,

HOW TOs, Best Practices
Product manuals and release notes!
and Deployment Guides
reference guides
• Support Central
• Partner Central
• Support Central • Website
• Support Central
• Partner Central
354
SUMMARY TO ALL SUMMARIES
You are now in control of WING5!
You’re awesome!
WiNG5 is not bad too…

355
ONE MORE THING…
Course Feedback
How did you like the course?

– Feedback used for course
improvement
How did you like your instructor?
– Feedback used for instructor
improvement
Please add explanations for every
mark below “Good”
– We can’t fix it if we don’t know
exactly what it is
356
THANK YOU
357

Edukacija Ceska PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Edukacija Ceska PDF

Hochgeladen von

Copyright:

Verfügbare Formate

WLN2018

WiNG TECHNICAL TRAINING

– This presentation is intended to be used

What are your experiences?

Do you find these objectives useful? How will they help

Introduction WLANs and key features

WiNG5 architecture in-depth Features & services

Essential Wired and Wireless Knowledge:

Our current WLAN portfolio

Schedule, Phones, Facilities

This is not school:

Very Important note:

Here’s what you’ll learn:

What are your experiences?

INDEPENDENT HUB AND SPOKE WiNG5

FIRST WIRELESS LANS COST EFFICIENT 802.11a/b/g BETTER QUALITY OF EXPERIENCE

LIMITED 11n SCALABILITY NO BOTTLENECKS

Security at the AP edge

Site Survivability and Distributed

Small/Branch Medium Campus / DC Large DC / Private Cloud

Adoption Capacity = 1024

Adoption Capacity = 144 RFS 6000 RFS 7000

Capacity & Performance

Requires Controller Standalone, Virtual Controller or Controller-Managed

AP 6562 AP 7161 AP 7181 AP 8163

TW-511 (T5) TW-522 (T5) AP 7502 AP 7522 AP 7532 AP 8232

AP 622 AP 650 AP 7131 AP 8122 AP 8222 AP 8132

AP 300 AP 621 AP 6511 AP 6521 AP 6522 AP 6532

Dependent Access Points Independent Access Points

Requires Controller Standalone, Virtual Controller or Controller-Managed

AP 6562 AP 7562 AP 8163

TW-511 (T5) TW-522 (T5) AP 7502 AP 7522 AP 7532

AP 6511 AP 6521 AP 6522

Dependent Access Points Independent Access Points

24-48 GE Ports 4* 1G SFP

Imagine PoETS-524 SWITCH

POTS + POWER + BROADBAND

How much will adding typical Wi-Fi cost?

Why not place APs where the user is?

Why pay for extra cabling, electrical and installation

Why worry that someone steals/unplugs?

Managed with WiNG

License Type RFS Series NX Series VX Series

Standalone Virtual Controller On-Site Controller

Essentially, variations of the same architecture

Teleworkers: multiple 1-cell sites, auto VPN tunnel to DC / cloud

NX/VX NX/VX NX/VX

Centralized Centralized Centralized

Holistic network w/o

AP with Auto VPN connection

Check your learning, can you perform the following?

Any final questions before we move on?

Here’s what you’ll learn:

Anyone tried setting WiNG5 up w/o any study/research?

Hierarchical configuration model

– Relevant portions applied to managed 

Final device configuration:

• Typically, common policies and parameters across a

automatically propagated to all assigned devices

Assigns configuration parameters, supported Policies and WLANs to groups of Wireless

AP7532-01 AP7532-02 AP7532-03

5C-0E-8B-A4-48-80 5C-0E-8B-A4-4B-48 5C-0E-8B-A4-4C-3C

profile nx7500 site-nx