Beruflich Dokumente
Kultur Dokumente
3.3.2-057B, 2015-06
COURSE OBJECTIVES
After completing this course, you should be able to:
Explain all key WING5 characteristics without using the documentation
Explain how all core WiNG5 features work using the student guide
Deploy all standard configurations covered in course using documentation
90%+ of what is typically encountered in the field
Configure other WiNG5 features using WiNG HOW-TOs
Describe advanced WiNG5 features using the study guide
Explain, follow and deploy WING5 best practices and reference designs
Explain the key WLAN design challenges and caveats
Troubleshoot any configuration you have built using available aids
Recommended:
– WLAN Technical Associate Certification (xWWTA0001)
– WiNG4 or other enterprise wireless vendor experience
5
HOUSEKEEPING
Important to know
Labs
– Lab Kits, 2.4GHz only clients
– Read ahead, labs have traps. Read next item as well for hints/clues
– Save configs after every lab
7
WING5
INTRODUCTION
What is WiNG5?
8
WING5 INTRODUCTION
Module Intro
Plan:
Discuss the topics
Check your knowledge by answering recap questions
10
WING5 KEY HIGHLIGHTS
Simplified Deployments
WLAN Controller
DSL
WAN
1 Indoor Mesh
3
2
RFS4000
T1 or 3G
1. Works with existing VLANs, no need to redesign the network
2. Optimal packet forwarding over Layer 2, Layer 3 or Mesh links
3. Fast site-to-site direct links
11
WING5 KEY HIGHLIGHTS
Security at the edge of the network
12
WING5 KEY HIGHLIGHTS
Superior Reliability
SMART RF
– Automatic real-time RF Management
– Power and channel selection
– Interference mitigation
– Neighbour recovery
– Wireless Client Coverage Hole
Recovery
– Supports multiple sites
13
WING5 KEY HIGHLIGHTS
Massive Scalability
Harness the processing power of the Access Points: vastly improved scalability
10X improvement for small packets – benefits VOIP performance
– Redesigned network stack increases performance for small frames
Fast roaming
Controller is no longer a bottleneck
– 1000s of sites with a single controller
14
WING5 CONTROLLERS
Overview and evolution
NX9xxx NX96xx
Services
Services
Adoption Capacity = 10,240
NX 9000, NX 95xx
Features & Applications
NX 9600
Services Adoption Capacity = 2048
Services
NX 7500
VX 9000
Adoption Capacity = 264 Virtualized
NX 6500 / 6524
Controller
Adoption Capacity = 144
NX 4500 / 4524
End of Sale or
Pending End of Sale
RFS 4010
15
WING5 AP PORTFOLIO
Supported and on sale
16
WING5 AP PORTFOLIO
What you should focus on
AP 8122 AP 8132
802.11n 3x3:3 802.11n 3x3:3
17
LAN SWITCHES
EX3500 Series
EX-3524
EX-3548
24 port : 370W
Power Budget
48 port : 740W
21
T5 PBN SOLUTION
Private Broadband Networking
CORE NETWORK
TW-511 802.11A/B/G/N
WALLPLATE
• 2 x FE ports
450M TELEPHONE WIRE • 1x 11abgn radio
125 x 92 x 29mm
(5 x 3.6 x 1.1”)
22
T5 PBN SOLUTION
Why/when do you need it?
Hotel/office block with lots of rooms
– Telephony already present, but no CAT5
23
WING5 KEY HIGHLIGHTS
WiNG5 licenses
AP/AAP Licenses
– Bought in packs
– Can be shared in cluster and hierarchy
– AAP License supports any AP except AP300
– AP Licenses were required only for AP300s (AP300 no longer supported)
24
WING5 KEY HIGHLIGHTS
Variety of Architectures
Single Site
Standalone: Tiny sites with 1-2 AP’s; no need for centralized configuration
1
Virtual Controller: Small sites with 2-24/64 AP’s; centralized management within site
2
On-Site Controller: Sites with >24 AP’s; campus deployments; distributed forwarding –
3 centralized management
25
WING5 KEY HIGHLIGHTS
Variety of Architectures
Controller in the DC: Sites with <=128 AP’s; no onsite controller, real-time operations
5 localized within site = efficient use of WAN, site survivability
Hierarchical: Multiple sites with >128 AP’s; site controllers managed from DC controller;
6 efficient use of WAN, site survivability
26
WING5 KEY HIGHLIGHTS
Distributed Hierarchical Enterprise Infrastructure
MICRO BRANCH
MEDIUM BRANCH
HQ / DC
Managed RFS
Cluster
SMALL BRANCH
NX/VX DC Cluster
Integrated Management,
Security, Assurance, etc
Managed NX Controller
with extra services
MICRO /TELECOMMUTERS
27
WING5 INTRODUCTION
Module Recap
How you think it might help you in this training and later when working with
WiNG5?
28
KEY CONCEPTS
How is WiNG5 set up?
29
WING5 CONFIGURATION MODEL
Module Intro
Plan:
Discuss the topics
Check your knowledge by answering recap questions
30
KEY CONCEPTS
Configuration Model Overview
–
site2
Distributed Operation siteXX
lab
– Manage large number of devices
Profiles default-vx9000 user-defined
– Share common configuration between
default-nx7500
default-ap7532
devices
default-ap7521
default-ap8163
– Minimize the amount of config objects Devices VX9000-1
– HQ manages sites
VX9000-2
AP7532-1
AP7532-2
…
WLANs
Master Configuration File
corp
guest-hq
..
..
TEST ..
– Replaces traditional flat config storeWLAN ..
staging WLAN 256
– Contains configuration for the whole Policies AAA ISAKMP
WiNG5 network Adoption Management
Advanced WIPS NAT
– Resides on Controller(s)
Association ACL
Captive Portal
Radio QoS
RADIUS Server
hierarchy
Master Configuration File
31
KEY CONCEPTS
Device Final Configuration
32
KEY CONCEPTS
Reference: configuration element definitions
Assigns regulatory, location and supported Policies to one or more Wireless Controllers and
RF
Domains Access Points. Each Wireless Controller and Access Point must be assigned to a default RF
Domain or user-defined RF Domain.
Policies contain groups of configuration parameters for specific features such as AAA, Captive
Policies Portal, WIPS, Firewall etc.. Policies can be assigned to Wireless Controllers or Access Points
using RF Domains, Profiles, WLANs and Devices.
Each WLAN object contains Wireless LAN specific configuration parameters such as SSID name,
WLANs VLANs, encryption and authentication as well as supported policies. WLANs can be assigned to
groups of Access Point radios using Profiles or individual radios as Overrides.
Each device may be individually assigned unique configuration parameters such as Hostnames,
Devices
static IP addresses as well as supported Policies and WLANs. Individual device configuration
combines with the configuration parameters inherited from RF Domains and Profiles to form a
final device configuration.
33
KEY CONCEPTS
Example
rf-domain mysite
NX-01 NX-02 location Somewhere under a mountain
contact admin@mycorp.com
timezone GMT
country-code us
use smart-rf-policy myRF
!
00-23-68-64-43-5A 5C-0E-8B-17-E8-F6
34
KEY CONCEPTS
Example
35
KEY CONCEPTS
Example
nx7500 00-23-68-64-43-5A
NX-01 NX-02 use profile site-nx
usenx7500 5C-0E-8B-17-E8-F6
rf-domain mysite
use profile
hostname nx-01 site-nx
use rf-domain
license AAP <string>mysite
hostname
license ADSECnx-02
<string>
license AAP <...>
ip default-gateway 192.168.20.1
licenseup1
interface ADSEC <...>
ip default-gateway
interface vlan20 192.168.20.1
00-23-68-64-43-5A 5C-0E-8B-17-E8-F6 interface SERVICES
up1
description
ip interface vlan20
address 192.168.20.22/24
description
interface vlan25Services
ip address
description 192.168.20.23/24
GUESTS
ip interface vlan25
address 192.168.25.22/24
description
cluster Guests
name site-cluster
ip address
cluster member ip192.168.25.23/24
192.168.20.23
cluster
cluster name site-cluster
master-priority 255
! cluster member ip 192.168.20.22
cluster mode standby
!
ap7532 5C-0E-8B-A4-48-80
use profile site-ap
useap7532 5C-0E-8B-A4-4B-48
rf-domain mysite
use profile
hostname AP-01 site-ap
! useap7532 5C-0E-8B-A4-4C-3C
rf-domain mysite
5C-0E-8B-A4-48-80 5C-0E-8B-A4-4B-48 5C-0E-8B-A4-4C-3C use profile
hostname AP-02 site-ap
! use rf-domain mysite
hostname AP-03
!
36
RF DOMAINS
Introduction
Can be assigned
– Manually
– Automatically (using Auto-
RF Domain = Corp
Provisioning Policies)
37
RF DOMAINS
Example 1: Hassle-Free
Smart-RF
Policy
‘Corp’
RF Domain
‘Corp’
WIPS Policy
‘Corp’
38
RF DOMAINS
Example 2: Policy Re-use
Smart-RF Smart-RF
Policy Policy
‘Office’ ‘Industrial’
RF Domain RF Domain
‘Building1’ ‘Building3’
Smart-RF Smart-RF
Policy Policy
‘Office’ ‘Labs’
RF Domain RF Domain
‘Building2’ ‘Building4’
39
RF DOMAINS
Example 3: Large Scale Multi-Site
RF Domain = Portland
Country Code = US
Time Zone = PST
RF Domain = Toronto
Smart-RF = Factory
Country Code = CA
WIPS = Branch
Time Zone = EST
RF Domain = Chicago
Smart-RF = Office
Country Code = US
WIPS = Branch
Time Zone = CST
Smart-RF = DC
WIPS = Branch
RF Domain = LA
Country Code = US RF Domain = Atlanta
Time Zone = PST Country Code = US
Smart-RF = Office Time Zone = EST
RF Domain = Corp
WIPS = Branch Smart-RF = R&D
Country Code = US
WIPS = Branch
Time Zone = CST
Smart-RF = Office
WIPS = Corp
40
RF DOMAINS
Example 4: RF Domain Overrides
WLAN OfficeWLAN
SSID = Corp
VLAN = 1
WLAN StoreWLAN
SSID = Store01
VLAN = 4
WLAN StoreWLAN
SSID = Store65
VLAN = 2
Common WLAN ID
Common SSID Common WLAN ID
Common VLAN IDs Unique SSID
Unique VLAN IDs
41
RF DOMAINS
Elements and Config
42
RF DOMAINS
Check your understanding
automatically
– Changes are propagated/inherited
45
PROFILES
Elements and Config
46
PROFILES
Default and User-Defined
Default User
AnyAP Profile
• Supported in WiNG Enterprise 5.8+
• “One size fits all” some device-specific features may not be available
• Before calling tech support – validate with “proper” device-specific profile
47
PROFILES
Automatic Provisioning Policies
48
48
PROFILES
Check your understanding
Can you assign more than one Profile to device? Same profile to multiple devices?
2 _______________________________________________________________________
50
DEVICES AND OVERRIDES
Elements and Config
51
DEVICES AND OVERRIDES
Example: Combining Profile and Override settings
WLANs assigned by the Profile for radio 2 are overridden by the WLANs
! assigned to radio 2 on the device
52
DEVICES AND OVERRIDES
When to use overrides?
Useful for:
– Assigning static IP addresses, hostnames, licenses, certificates
– Overriding network, wireless, security or services for individual devices
53
DEVICES AND OVERRIDES
Check your understanding
EVERYTHING you see in device section (<model> <MAC>) of the master config file is a
1 _______________________________________________________________________
All configuration parameters and policies assigned to an individual device will _________
2 those inherited from RF Domain and/or Profile
EVERYTHING in device section will only apply to device with the same ____ MAC
3 address.
An AP has WLANs 1,2,3 assigned from the Profile and 4 assigned as an Override. How
5 many WLANs will the AP have? Which ones? __________________________________
You are replacing a faulty controller, and simply are copying old config file onto the new
6 box. What will happen? ____________________________________________________
Would you try minimizing or maximizing the number of overrides in your config?
7 _______________________________________________________________________
or RF Domains
You will learn many policies in the class
55
POLICIES
Check your understanding
How many policies of each type can be assigned per RF Domain, Profile, WLAN or
1 Device Section? _________________________________________________________
Each policy requires a unique _____ and can be assigned to (single or multiple?) RF
2 Domains, Profiles, WLANs or Devices
57
WLANS
Elements and Config
Policies
wlan CORP-PSK
AAA Policy ssid CORP-PSK
Association ACL Policy vlan 22
Captive Portal Policy bridging-mode local
IP Access List encryption-type ccmp
MAC Access List authentication-type none
WLAN QoS Policy wpa-wpa2 psk 0 qwertyui
!
Configuration Parameters wlan CORP-DOT1X
ssid CORP-DOT1X
Basic Configuration: Client Settings:
SSID Client-to-Client Communications
vlan 23
Description Client Power / Idle Time bridging-mode tunnel
Status Max Firewall Sessions encryption-type ccmp
QoS Policy Max Clients / Radio authentication-type eap
Bridging Mode Enforce Client LB / DHCP
Broadcast SSID Proxy ARP Mode
use aaa-policy HQ-AAA-SERVERS
Answer Broadcast Probes Symbol Client Extensions !
VLAN(s) Credential / VLAN Cache wlan CORP-GUEST
RADIUS Overrides Accounting: ssid CORP-GUEST
Security: Syslog Accounting
Authentication Proxy Mode
vlan $GUESTVLAN
AAA Policy Format / Case bridging-mode tunnel
Captive Portal RADIUS Accounting encryption-type none
MAC Registration Client Load Balancing: authentication-type none
Encryption Enforce Client LB
Firewall: Timers
use captive-portal corp-portal
Inbound / Outbound IP ACLs Settings captive-portal-enforcement
Inbound / Outbound MAC ACLs Advanced: ip-access-list in GUEST-ACL
Association ACL 802.11w !
Trust RADIUS NAS
Wireless Client Deny Dynamic Authorization
Firewall Session Holdtime Radio Rates
HTTP Analysis Auto Shutdown:
Triggers
Time Based Access
58
WLANS
Check your understanding
What must be defined on the AP before it can serve WLANs? Where do you define it?
1 How do you map it to an AP? _______________________________________________
Are WLANs assigned to an AP’s ,Ports, Radios, Interfaces, VLANs, or Device in general?
2 _______________________________________________________________________
Name two config elements that can assign WLANs to the device
3 _______________________________________________________________________
WLANs assigned directly to a device radio as Overrides will override ___ WLANs
4 assigned to this radio from the Profile
Can you have the same WLAN object with different SSIDs/VLANs/PSKs? Name two
5 places where you have define those overrides __________________________________
+
siteXX
lab RF Domain Profile
Devices
VX9000-1
VX9000-2
AP7532-1
AP7532-2
…
Device
WLANs corp ..
Overrides
guest-hq ..
TEST ..
storeWLAN ..
staging WLAN 256
Policies
AAA
Adoption
Advanced WIPS
ISAKMP
Management
NAT
=
Association ACL Radio QoS
Captive Portal RADIUS Server
Categorization Role
Device Discover Smart-RF
DHCP VPN
Firewall WIPS
IGMP Snoop WLAN QoS Final Device
... ...
Configuration
60
WING5 CONFIGURATION MODEL
Module Recap
Soon you will practice this in the lab. Do you feel confident?
Can you explain why those UI and config model sections are there?
Any final questions before we move on?
61
INITIAL
CONFIGURATION
How do I make it work?
62
INITIAL CONFIGURATION
Module Intro
Plan:
Discuss the topics. Some topics are covered in slides, and some you will learn in
the lab
Check your knowledge by answering recap questions
Practice your new skills and knowledge in labs
Final Q&A and end of the day
64
INITIAL CONFIGURATION
How do I connect to a “blank” device?
SSHv2 TCP 22
Management Policy:
– Local management user accounts, roles,
access permissions
– Enable / disable management interfaces
– RADIUS / TACACS+ management user
authentication, auditing and scoping
– Management access restrictions (ACLs)
– SNMPv2 / SNMPv3 parameters
Best practices
– Enable only secure management interfaces
– Disable unnecessary management interfaces on controller-managed APs
• Do you need HTTP server on a controller-managed AP?
• You can still log into an adopted AP using MiNT!
66
66
MANAGEMENT POLICIES
User Roles / Access Permissions
Role Permissions
Monitor Read-Only
Helpdesk Troubleshooting utilities (ex. sniffer), execute service commands, view/retrieve logs, reboots devices, etc
Network Configure all wired and wireless parameters (IP configuration, VLANs, L2/L3 security, WLANs, radios etc.)
System Modify general settings like NTP, boot parameters, perform firmware upgrades, auto install and control access
Webuser Create guest users for captive portal authentication (special UI)
Security Configure Wireless Firewall and QoS parameters
Provisioning Can add/remove/edit devices, but not Profiles/RF Domains/Policies, etc.
Superuser All configuration tasks.
67
67
MANAGEMENT POLICIES
Considerations
To avoid losing control of device, you want to ensure that each Management Policy has at
1 least one user with the role of _______________________________________________
Do you want the same management access settings on both Controllers and managed
2 APs? If not – what would be different? ________________________________________
Is using HTTP and Telnet considered a good security practice? What should be used
4 instead? ________________________________________________________________
What can you do to further restrict management access to specific hosts or subnets?
5 _______________________________________________________________________
To the lab!
69
LAB: INITIAL CONFIGURATION
70
INITIAL CONFIGURATION
Module recap
72
WING5 ARCHITECTURE
How does it scale from 1 AP to thousands of sites?
Distributed ?
73
WING5 ARCHITECTURE
Introduction
74
WING5 ARCHITECTURE
High-level overview
75
WING5 ARCHITECTURE
Objectives and Plan
Plan:
Discuss
Recap
76
WING5 ARCHITECTURE
Three planes of network operation
Data Plane
– Making the packets flow
– L2/L3 forwarding, tunnelling
Control Plane
– Controlling the flows
– Firewalls, IPS, Dynamic Routing, QoS
– Roaming coordination
– Aggregation of statistics/events
– Remote debugging
Management Plane
– Network administration
– Device discovery, adoption,
configuration management, providing
single pane of glass view
77
WING5 ARCHITECTURE
Three planes of network operation
Mission-
Plane Traffic Smarts Real-time? Final load
critical?
Data
Control
Management
78
WING5 ARCHITECTURE
What is the secret of scalability?
Mission-
Plane Traffic Centralized
Smarts Controllerless Final
Real-time? WiNG5
load
critical?
80
WING5 ARCHITECTURE
RFDM vs Controller
Scalability
– APs can only manage 1 RF Domain RF Domain = Corp
Key commands
– show global domain managers RF Domain = Store3 RF Domain = Store4
– show rf-domain-manager [on …]
83
WING5 ARCHITECTURE
Check your understanding
What plane can WiNG5 a Controller belong to? What happens if you lose a Controller?
2 How to protect from this?
What plane can a WiNG5 AP belong to? What happens if you lose an AP? How to protect
3 from this?
___________________________________________________________________
What plane can an EX switch belong to? What happens if you lose it? How to protect
4 from this?
___________________________________________________________________
What if you have more than one RFDM for the same RF Domain (as a result of mis-
5 configuration)? How can this be possible? _____________________________________
85
MINT PROTOCOL
Objectives and Plan
Plan
Discuss
Recap
Practice in the next lab
86
MINT PROTOCOL
How do WING5 devices communicate?
Over L2 or L3
– Layer 2: EtherType 0x8783
UDP 24576
UDP 24577
• Point to Multipoint
0x8783
– Layer 3:
• UDP 24576 (Control/Management)
• UDP 24577 (Data)
• Ports can be changed
• Point to Point
87
MINT PROTOCOL
How are MiNT links established?
Manual configuration
– Explicit static L2/L3 config (rarely)
– Control VLAN parameter
– Controller VLAN / Host parameters
88
MINT PROTOCOL
What types of links exist?
Level 1
Which link generates more traffic?
89
MINT PROTOCOL
Check your understanding
Which type do you think generates more traffic? Which is optimized for WAN?
2 _______________________________________________________________________
Which protocol discovers devices and creates links automatically? Can you control it?
4 _______________________________________________________________________
Can you manually create MiNT links? What Level? What Layer? Why would you do it?
5 _______________________________________________________________________
What is the UDP port number for L3 links? Why are there two? Can you change them?
6 When? _________________________________________________________________
91
ADOPTION
Plan
Discuss
Recap
Lab
92
ADOPTION
Overview
93
ADOPTION
Layer 2 (VLAN) discovery and adoption
If you were an AP looking for L2 adoption by a Controller, what would you do?
1. Discover possible adopters
– Auto: L2 MiNT MLCP broadcast on all VLANs
– Manually: controller vlan <X> (not needed in most cases)
2. Establish MiNT link and try getting adopted
3. Upon failure – go L3
Native VLAN
Tagged VLAN Native VLAN
Tagged VLAN
94
ADOPTION
Layer 3 (IP) discovery and adoption
Site DC
BR WAN GW
95
ADOPTION
Layer 3 (IP) discovery and adoption
96
ADOPTION
L3 Adoption Examples – can you explain the process?
Campus WAN
Corporate DNS:
Corporate DHCP
domain.com
Option 191
wing-wlc IN A
pool1=192.168.10.101
VLAN 10
192.168.10.101
VLAN 10
Ge1: 192.168.10.1/24
S0: 192.168.100.1/24
VLAN 10: 192.168.10.1/24
VLAN 11: 192.168.11.1/24
VLAN 12: 192.168.12.1/24
S0: 192.168.100.2/24 S0: 192.168.100.3/24
VLAN 13: 192.168.13.1/24
Ge1: 192.168.20.1/24 Ge1: 192.168.30.1/24
VLAN 20 VLAN 30
98
ADOPTION
Check your understanding
What happens with the network during a Controller outage or cluster failover? Do you
2 need to load-balance APs in a cluster?
______________________________________________
Do you need an IP address in order to adopt an AP over L2? Can you have one?
3 _______________________________________________________________________
What protocol is responsible for controller discovery during adoption? Can you control it?
6 _______________________________________________________________________
– Then stop!
100
MULTI-SITE
ARCHITECTURE
How does device find a Controller?
How does device find RFDM?
And what happens then?
101
MULTI-SITE ARCHITECTURE
Plan and Objectives
Plan
Discuss
Exercise
Demo
102
MULTI-SITE ARCHITECTURE
How do devices find the Controller?
Get adopted
– RF Domain and profile assigned
– Configuration added to master config
– Firmware upgrade, if required
103
MULTI-SITE ARCHITECTURE
How do devices find the RF Domain Manager?
Site APs
– Discover each other over the Control
VLAN
– Form Level 1 Layer __ MINT link
– Elect a RF Domain Manager for the site
rf-domain store002
Where is your Control Plane now? location Berlin
timezone GMT+1
– On site / off site? country-code de
use smart-rf-policy store-ETSI
– What if this does not happen? use wips-policy WIPS-EU
control vlan 1
override-wlan storewlan ssid STORE002
104
MULTI-SITE ARCHITECTURE
Link Optimization
108
MULTI-SITE ARCHITECTURE
Check your understanding
Where are Data, Control and Management planes in Centralized Controller architecture?
1 _______________________________________________________________________
Which configuration parameter assures that devices will be able to find local RFDM?
3 Where is it defined? _______________________________________________________
Which commands can you use to check/troubleshoot your deployment ? What should you
5 see? ___________________________________________________________________
Multi-Site Scenario
– 03.3 Plug’n’Play L3 adoption multi-site
– 03.4 AP Device-Specific Settings
110
CLUSTERING
Removing single point of failure
111
CLUSTERING
Plan and Objectives
Plan
Discuss
Recap
DIY lab (extra curricular)
112
CLUSTERING
Overview
Best practice
– Two per cluster Active-Standby
– Up to 6 RFS supported for WiNG4 migration DC Cluster
113
CLUSTERING
Configuration
Cluster Name:
Mandatory
Cluster Mode:
Optional
114
CLUSTERING
How to build a cluster quickly and safely?
On one Wireless Controller (Primary) build the master configuration for the network and
1 define the Cluster Name
The Secondary will establish MiNT link(s), join the cluster, add it’s device sections (but not
… policies/profiles/wlans/rf-domains) to the Primary’s Master Config and pull the updated
config
Done: cluster is now operational and the configuration is synchronized in a safe way
!
115
CLUSTERING
Check your understanding
Maximum of how many Controllers? How many do you really need? Why?
1 _______________________________________________________________________
Enforce ______ priority (set to ____ ) at the designated Master to ensure config integrity
6
117
MINT TUNNELING
…one more thing
118
MINT TUNNELING
Objectives and plan
Plan
Discuss
Recap
Exercise
119
MINT TUNNELING
Overview
120
MINT TUNNELING
Protocols
Controlled via “Bridging Mode”
(VLAN/WLAN)
– Local – locally bridged/routed
– Tunnel – tunneled over MiNT UDP 24576
UDP 24577
0x8783
Both Level 1 and Level 2
– L2 tunneling is disabled by default
121
LOCAL BRIDGING
Use case: Campus
Services, Configuration & Management
VLAN 10 VLAN 20
VLANs
VLAN 10 VLAN 20
10,20,30
Distribution
VLANBuilding
30 is 1defined on all APs and Switches in the Campus to2 provide
Building
! seamless Mobility
122
VLAN TUNNELLING
Use case: Campus
Services, Configuration & Management
VLAN 10 VLAN 20
Distribution
123
VLAN TUNNELLING
Use case: Layer 3 Mobility
Services, Configuration & Management
VLAN 10 VLAN 20
VLANs
VLAN 10,100 VLAN 20,100
10-80,100
Distribution
VLAN 30,100 VLAN 40,100 VLAN 50,100 VLAN 60,110 VLAN 70,110 VLAN 80,110
IP: 192.168.100.211/24 IP: 192.168.100.211/24 IP: 192.168.100.211/24 IP: 192.168.100.211/24 IP: 192.168.100.211/24 IP: 192.168.100.211/24
DFG: 192.168.100.1 DFG: 192.168.100.1 DFG: 192.168.100.1 DFG: 192.168.100.1 DFG: 192.168.100.1 DFG: 192.168.100.1
124
VLAN TUNNELLING
Use case: Guest Traffic
VLAN 80,90
IP MiNT Link
VLAN 10 VLAN 10
125
LOCAL BRIDGING
Exercise
VLAN 10
VLAN 11
VLAN 12
Ge0/1 Ge0/2
Ge1 Ge1
AP1 AP2
126
CENTRALIZED FORWARDING
Exercise
Ext. VLAN
VLAN 10
VLAN 20
VLAN 21
Ge0/1 Ge0/2
AP1 AP2
127
MINT TUNNELING
Technical details and useful commands
129
LOCAL BRIDGING
Check your understanding: local or tunnel?
A new WLAN is deployed across 150 APs with a dedicated VLAN to support it and you
1 need to touch each switch port
Your AP has VLANs 1,2,3,4 defined, but only VLAN1 comes through. What mode, what
2 problem? _______________________________________________________________
Client roams between APs located in different IP subnets w/o having to change IP
4 address ________________________________________________________________
Client pings a wired resource from AP. You are tracing the GE1 interface but can’t see
5 ICMP packets. What will you see instead? How should you trace? __________________
You controller should support 1000+ APs, but you start having problems after 250
6 _______________________________________________________________________
You are seeing unnecessary extra hops. How can you avoid it?
7 _______________________________________________________________________
Local Tunnelled
Pros: Pros:
– No encapsulation overhead – More security due to tunnelling
– Shorter paths – Single point of control and integration
– Controller out of datapath – Easy to add new APs
– Can tunnel over L2 MiNT links over
– Very scalable WAN instead of complex
– Transparent bridging and routing IPsec/L2TPv3 setups
Cons: Cons:
– Traffic goes onto wired via multiple – Encapsulation overhead
points – harder to control – Extra hops
– More management overhead on – Controller may be a bottleneck
wired integration side • Number of tunnels
• Throughput
131
VLAN BRIDGING & TUNNELING
Module recap
132
REFERENCE DESIGNS
AND BEST PRACTICES
Putting it all together
133
REFERENCE DESIGNS AND BEST PRACTICES
Objectives and plan
Plan
Discuss
No recap – exercises in the next module
134
REFERENCE DESIGNS
Single Site
Single Site
Standalone: Tiny sites with 1-2 AP’s; no need for centralized configuration
1
Virtual Controller: Small sites with 2-24/64 AP’s; centralized management within site
2
On-Site Controller: Sites with >24 AP’s; campus deployments; distributed forwarding –
3 centralized management
135
REFERENCE DESIGNS: SMALL DEPLOYMENTS
Virtual Controller (Small sites with <= 24/64 APs)
Similar to “real” WiNG5 Controller
– Centralized configuration,
– Adoption
– Firmware updates Internet
137
REFERENCE DESIGNS: SINGLE SITE
Single Site with 50-1024 APs (21-128 low-end APs)
138
REFERENCE DESIGNS: SINGLE SITE
Single Site with 1025+ APs (128+ low-end APs)
– L2 Cluster links
Core
Multiple Controller-Managed RF
Domains
VLAN 11 VLAN 12 VLAN 13
139
VIRTUAL RF DOMAIN MANAGER
Configuration and operation
Configuration:
– RF Domain -> Controller Managed
– Allows having some RF Domains on controllers and some on APs for mixed
deployments
Model RF Domains
RFS4000 / NX4500 2
RFS6000 / NX6500 5
RFS7000 10
NX7500 40
NX9500 200
VX9000 0
140
SINGLE SITE BEST PRACTICES
Things to remember and care about
Adoption
> 50 (>20 low-end) APs MUST use Layer 3 adoption!
1025+ (128+ low-end) APs -> MUST use Level 2 MiNT links!
Disable automatic learning of staging config (no need in most cases)
Disable automatic FW upgrades (no device-upgrade auto)
RF Domains
Try making controller the only RFDM (Virtual RFDM or single RF Domain)
Disable RFDM elections for controller-managed RF Domains
No Control VLAN
Other
Learn customer’s STP design and its impact on you (PortFast on AP ports, etc)
Disable CDP/LLDP if not supported by infrastructure
141
REFERENCE DESIGNS
Multi Site
Multi-Site
Controller in the DC: Sites with <=128 AP’s; no onsite controller, real-time operations
5 localized within site = efficient use of WAN, site survivability
Hierarchical: Multiple sites with >128 AP’s; site controllers managed from DC controller;
6 efficient use of WAN, site survivability
142
REFERENCE DESIGNS: MULTI SITE
Multi Site with 1-128 APs (24 low-end APs)
Within site
– Separate RF Domain
– Level 1, Layer 2 MiNT links
– Must define Control VLAN
– Disable MLCP L2 to avoid issues
• Control VLAN will still create link
143
REFERENCE DESIGNS: MULTI SITE
Multi Site with 129-4096 APs (>24 low-end APs)
Within site
– APs adopted at Layer 2/3 to SC
• (follow campus rules)
– Separate RF Domain
– Level 1 IP (> 24AP) MiNT links
– No Control VLAN defined
Level 1
Level 1
One level of hierarchy
– DC can lend licenses to CC
– Clusters can adopt clusters
128 x APs 72 x APs
144
REFERENCE DESIGNS
Bringing it all together…
145
145
MULTI-SITE BEST PRACTICES
Things to remember and care about
Adoption
Level 2 IP-based to Controller
RF Domain size > 128 (24 low-end) APs requires on-site controller
Consider if automatic learning of staging config is required
Disable automatic FW upgrades (no device-upgrade auto)
RF Domains
Each site = unique RF Domain
Multiple RFDMs for the same RF Domain = trouble
Control VLAN is a must!
Use aliases and RF Domain overrides
Tunnelling
Tunnelling L2 over L3 is rarely a good idea (at least, control broadcasts)
MiNT tunnelling is easy to set up, but proprietary
• Must expose a controller in the DMZ
• Consider L2TP instead
• Both can automatically work through RFDM with dynamic failover
What if your uplink fails?
146
REFERENCE DESIGNS
Best practices
147
REFERENCE DESIGNS AND BEST PRACTICES
Module recap
149
CHECK YOUR
UNDERSTANDING
No recap this time
Plan: analyse and troubleshoot cases
150
CHECK YOUR UNDERSTANDING
Example: Tunnelling issues
Guest WLAN
1 − Upstream < 1Mbps
− Downstream < 1Mbps
2 Corp WLAN
− Upstream < 2Mbps
151
TROUBLESHOOTING ISSUE 1
Issue 1 – Validate Wireless LAN Performance
Result:
Upstream: 20Mbps
Downstream: 24Mbps
152
TROUBLESHOOTING ISSUE 1
Issue 1 – Validate IPSEC tunnel Performance
Result:
Upstream: 20Mbps
Downstream: 24Mbps
153
TROUBLESHOOTING ISSUE 1
Issue 1 – Validate Wireless LAN Performance
Result:
Upstream: 0.8 Mbps
Downstream: 1.2Mbps
154
TROUBLESHOOTING ISSUE 1
Issue 1 – RESOLVED
155
TROUBLESHOOTING ISSUE 2
Issue 2 – Validate Wireless LAN Performance
Result:
Upstream: 2 Mbps
Downstream: 20+ Mbps
156
TROUBLESHOOTING ISSUE 2
Issue 2 – Eliminate Wired Infrastructure
Result:
Upstream: 20+ Mbps
Downstream: 20+ Mbps
157
TROUBLESHOOTING ISSUE 2
Issue 2 – RESOLVED
158
CHECK YOUR UNDERSTANDING
Architecture issue: Local Site
159
CHECK YOUR UNDERSTANDING
Architecture issue: Multi-Site
160
CHECK YOUR UNDERSTANDING
Architecture issue: Multi-Site
161
CHECK YOUR UNDERSTANDING
Adoption Troubleshooting
LAN/WAN
162
CHECK YOUR UNDERSTANDING
Adoption Troubleshooting – Answers – Configuration
163
CHECK YOUR UNDERSTANDING
Adoption Troubleshooting – Answers – Discovery / connectivity issues
L2 Adoption checks:
– AP is on the same VLAN as Controller
– VLAN tagging configuration on both AP and the LAN switch port
– Native VLAN configured correctly all the way through to Controller
– No ACLs between (or directly on) the Controller and AP drop EtherType 0x8783
– Broadcast/multicast filtering is not present on LAN switches
– STP is not enabled on the LAN switch port connected to the AP
L3 Adoption checks:
– Check DHCP configuration
• AP has received correct DHCP parameters (incl option 191 syntax)
• show ip dhcp-vendor-options, service show dhcp-lease
– Check IP connectivity between Controller and AP (both ways!)
• Check default gateways on both controller and AP
• Wired client on the AP VLAN can ping the controller and vice versa
– No ACLs between (or directly on) the Controller and AP drop UDP 24576
– STP is not enabled on the LAN switch port connected to the AP
– Check whether pre-staged config is learned properly
164
CHECK YOUR UNDERSTANDING
Adoption issue
Is that enough?
165
CHECK YOUR UNDERSTANDING
Adoption issue
167
PART 1 SUMMARY
What you have learned:
Portfolio, licensing, key concepts
Device configuration and management
How WiNG5 architecture operates
Adoption, tunnelling, clustering, MiNT
Reference designs
Best practices
Common design/deployment mistakes
and troubleshooting
Was is useful?
169
WLANS AND WLAN
FEATURES
Providing Wireless Service
170
WLANS AND WLAN FEATURES
Module Intro
WLAN overrides
– Status: selectively enable/disable WLANs
– SSID: Have the same WLAN under different name
– VLAN Pool: Have the same WLAN mapped to
different VLANs
– Keys (WEP and WPA/WPA2 PSK): different keys
per site
– Assigned via RF Domain or Device Overrides
172
WLANS
Encryption
Wi-Fi Alliance banned ‘pure’ WPA/TKIP starting Jan 01 2014. WEP is next.
Still can be done via CLI service commands
WPA2-CCMP and None are the only encryption methods supported in 802.11n/ac.
802.11 standard prohibits fast data rates when WLAN uses any other encryption.
173
WLANS
Authentication
Authentication methods supported:
– 802.1X EAP, EAP-PSK, EAP-MAC
– Kerberos
– MAC
– LEAP (pass-through)
– None
174
WLANS
Choosing between PSK vs. EAP
PSK EAP
175
Dynamic VLANs
WLANS
VLAN Mapping
VLANs can be mapped to WLANs
– Statically (at config time): As written in the WLAN profile (single / pool)
– Dynamically (at association time): RADIUS, LDAP, Role-Based Firewall,
Hotspot
• Based on server replies. Can also assign ACLs, Access time windows, etc.
• Cached along with credentials, fallback possible if no server reply.
• Requires 802.1X or MAC Authentication mode
Can map to local or tunnelled VLANs
Static VLAN pool Dynamic VLAN assignment
VLAN 11 VLAN 12 VLAN 13 VLAN 11 VLAN 12 VLAN 13
Load Balanced
WLAN WLAN
RADIUS or LDAP
Server
Best Practices
– One-to-one mapping of ESSID to BSSID
• Clients view each BSSID as a different AP
• Each individual BSS/ESS adds overhead traffic
– Set the DTIM interval to
• 10 for battery-sensitive client devices that have to work long shifts
• 2-3 for VoIP
177
AAA SERVICES
What can WiNG5 do?
– Certificate Support
– Credentials cached for up to 1 day
178
AAA SERVICES
AAA Policies – Server Pools
AAA
AAA
Load-Balanced Fail-Over
179
AAA SERVICES
AAA Policies – Server Proxy Modes
For flexibility each RADIUS server entry includes a proxy operating mode:
– None: RADIUS exchanged directly between AP and RADIUS server
(Requires IP Address on the AP)
– Through-Controller: RADIUS exchange is proxied through the Controller
managing the AP
– Through-RF-Domain-Manager: RADIUS exchange is proxied through the
local RF Domain Manager (elected Wireless Controller or AP)
AAA
AAA
WLAN WLAN WLAN WLAN WLAN WLAN
180
AAA SERVICES
RADIUS – Examples
Can you explain the goals behind these designs?
Which one is the most popular?
Users Users
AAA Users AAA Users Users
AAA AAA
Primary Secondary
AAA AAA
Tertiary
Users
AAA
183
WLANS: PSK AND 802.1X
Check your understanding
The deployment is using 802.11ac APs and 802.11n clients, but they don’t see any high
1 rates. What is the most probable cause? ______________________________________
_______________________________________________________________________
How many BSSIDs on a 3-radio AP8163?
2 _______________________________________________________________________
You see beacons in the air with ESSID of your WLAN, but the BSSID does not match the
6 MAC of your radio. Could it be your AP? When? When not?________________________
185
WLANS: PSK AND 802.1X
Section recap
186
CAPTIVE PORTALS
…be my guest!
187
CAPTIVE PORTAL
Introduction
Off On Fall-Back
‘Optional’ ‘Optional’
Captive EAP / MAC Captive
Primary Primary
Portal Authentication Portal
Authentication Authentication
189
CAPTIVE PORTAL
Web Pages
– Etc…
Web pages can be defined and stored as: wlan-name-2/
190
CAPTIVE PORTAL
Capture & Redirection
Prior to authentication, the Captive Portal will block traffic except for
– ARP, DHCP, DNS, White Listed hosts and packets to/from the captive portal
server (TCP ports 880 & 444)
Which common protocol is missing?
HTTP Capture & Redirection HTTPS Capture & Redirection
HTTP Req. (216.66.22.133 Port 80) HTTP Req. (216.66.22.133 Port 80)
HTTP Redirect (Portal IP Port 880) HTTP Redirect (Portal IP Port 444)
HTTP Req. (Portal IP Port 880) HTTPS Req. (Portal IP Port 444)
191
CAPTIVE PORTAL
Configuration – Captive Portal Policies
Local or
Captive Portal implementation consists of two parts, Extended WLAN
VLAN
each defined by the same Captive Portal Policy
– The “Captive” WLAN:
• AP will perform “Capture” on this WLAN
Captive
• Select the Enforcement Mode Portal
Policy
• Map to your hotspot VLAN (Local or Tunnelled)
– The “Portal” Device (same AP or other device)
• Hosts the Portal part (web server)
• Talks to AAA servers (if required) using AAA policy Device Profile
192
CAPTIVE PORTAL
Example 1: Public Hotspot
Data Center:
Web Server
Login Pages
User DB
User Traffic
IPSec
World Wide Web
DHCP
Firewall
NAT
IPSec VPN
Local VLAN 100
193
CAPTIVE PORTAL
Example 2: Enterprise Tunnelled Guest Access
Firewall
Ext. VLAN 200
NAT Firewall AP Adoption
VLAN 20
VLAN 20 VLAN 10 VLAN 10
Ext. VLAN 200
Distribution:
194
CAPTIVE PORTAL
Hotspot Recommendations
195
CAPTIVE PORTAL
When hotspot fails
Data Center
WiNG5 can alert user when Captive
AAA Server HTTP Server
Portal Service is not operational
– RADIUS Server is lost DC Controller
– External HTTP server is lost
– Controller is lost
– Another Critical Resource is lost
• DHCP server
• WAN next-hop RFDM
• DNS server
• etc…
Present a customizable ‘Failure’ web
page to the user
Internet
Remote Site
196
GUEST REGISTRATION
Registration Methods
Device (MAC) Registration
– Prompt user for details based on Access Type and configuration (can choose fields)
– Store device MAC address in the controller’s database
– Same MAC will not require authentication on subsequent visits
– No Email or SMS passcode validation with this use case
197
GUEST REGISTRATION
Analytics & Statistics
DB import-export supported
198
WLANS: CAPTIVE PORTALS
Check your understanding
Captive Portal Policies must be assigned to _______ capturing and redirecting users AND
2 to ________ hosting the Portal
Should the device hosting the Captive Portal have IP Address in the Hotspot VLAN?
3 _______________________________________________________________________
Which Guest Registration modes are supported? How can user identify themselves?
5 _______________________________________________________________________
200
CAPTIVE PORTALS
Pre-lab recap
201
OTHER NOTABLE WLAN FEATURES
Device Fingerprinting
Use it for
– User analytics, monitoring and troubleshooting
• Who are my visitors?
• How many tablets have I got on the network?
• Why is this device so slow?
• What is this weird client?
• How much YouTube traffic is generated by tablets/smartphones?
– Role-based access based on device type (incl BYOD)
• Company laptop = full access
• BYOD tablet = limited access (on the same WLAN under the same user name)
202
OTHER NOTABLE WLAN FEATURES
Syslog URL Logging
Monitor and log the web sites users access and forward the information to
an external Syslog server
– Log guest user activity for compliance
– No license is required
– Supported on all platforms
203
203
OTHER NOTABLE WLAN FEATURES
Dynamically enabling/disabling WLANs
204
OTHER NOTABLE WLAN FEATURES
WLAN Tips and Tricks
dc#sh wireless wlan usage-mappings | policy-mappings
Quick overview of WLAN config -----------------------------------------------------------------------
TYPE NAME WLANS
– sh wireless wlan usage-mappings -----------------------------------------------------------------------
Profile lab-ap7131 t99-eap,t99-hspot,t99-psk1
– sh wireless wlan policy-mappings Profile lab-ap622 t99-eap,t99-hspot,t99-psk1
Profile lab-ap650 t99-eap,t99-hspot,t99-psk1
Which WLANs are where? AP Config 5C-0E-8B-58-8A-F4 t99-eap,t99-psk2
-----------------------------------------------------------------------
– sh wireless radio wlan-map dc#show wireless radio wlan-map
-----------------------------------------------------------------------
…also useful for documentation RADIO
MAPPED
AP-MAC AP-TYPE RF-MODE BSS WLAN
IDX
-----------------------------------------------------------------------
ap7131-t99:R1 5C-0E-8B-58-8A-F4 ap71xx 2.4GHz-wlan 1 t99-psk1*
2 t99-eap*
Captive portal user management: ap7131-t99:R2 5C-0E-8B-58-8A-F4 ap71xx 5GHz-wlan 1 t99-psk2*
3 t99-eap*
– no captive-portal client ap7131-t99:R3 5C-0E-8B-58-8A-F4 ap71xx sensor
ap650-t99:R1 5C-0E-8B-98-C4-94 ap650 sensor 1 t99-psk1*
<mac>/<captive-portal-name> 2 t99-eap*
3 t99-hspot*
ap650-t99:R2 5C-0E-8B-98-C4-94 ap650 5GHz-wlan 1 t99-psk2*
ap622-t99:R1 B4-C7-99-57-C4-1C ap622 2.4GHz-wlan 1 t99-psk1*
Useful reference and regulatory info ap622-t99:R2 B4-C7-99-57-C4-1C ap622
2
5GHz-wlan 1
t99-eap*
t99-psk2*
– service sh wireless reference […] -----------------------------------------------------------------------
205
WLANS AND WLAN FEATURES
Module recap
206
WLAN OPTIMIZATION
FEATURES
Optimize your WLAN for enhanced
performance
WLAN OPTIMIZATION FEATURES
Module Intro
208
SMART-RF
Introduction
Smart Off
Channel
Scanning
Application
Coverage
Aware
Hole
(Voice,
Detection
PSP)
Optimum Interferenc
TX Power SMART-RF e
Selection Avoidance
Optimum On-board
Channel WIPS
Selection Detector
Neighbor
Recovery
209
SMART-RF
Off-Channel Scanning and 24/7 Calibration
210
SMART-RF
Neighbour Recovery
12db
15db 14db
17db
Rescue
Normal Normal 1 Neighbor radios monitor the Air
211
SMART-RF
Coverage Hole Recovery
SNR: 21db
4 If the client SNR is maintained, the
AP will reduce its TX power
smart-rf-policy HQ
enable
group-by building
sensitivity custom
assignable-power 5GHz min 11
assignable-power 5GHz max 15
assignable-power 2.4GHz min 8
assignable-power 2.4GHz max 12
channel-list 5GHz 36,40,44,48
channel-width 2.4GHz 40MHz
interference-recovery client-threshold 5
!
smart-rf-policy Branch
enable
group-by floor
sensitivity custom
assignable-power 5GHz min 11
assignable-power 5GHz max 15
assignable-power 2.4GHz min 8
assignable-power 2.4GHz max 12
channel-list 5GHz 149,153,157,161
Three presets available for easy setup channel-width 2.4GHz 40MHz
interference-recovery client-threshold 5
!
– Can be fully customized and tuned
– Additional grouping by floor, building,
etc
213
LAB: SMART RF
Lab 07:
– Create and Assign SMART RF Policy
214
SMART-RF
How does Smart-RF affect performance?
215
SMART RF
Controlling the air
SMART RF
Check your understanding: what’s wrong with this AP?
217
SMART RF
RF Reports and visualizations
Limitations:
– Not as accurate as ADSP
– Does not take into account material
properties
– No historical/forensic support
Still reports real-world data!
218
EXERCISE: SMART RF
REPORT
219
SMART-RF
Check your unerstanding
Which SMART RF preset, would you think, optimises performance with coverage and is
1 recommended by default? __________________________________________________
When running a throughput test, would you want to keep SMART RF on?
2 _______________________________________________________________________
Can SMART RF eliminate the need for proper RF design and site survey?
3 _______________________________________________________________________
For recovery mechanisms to work, what should be the max SMART RF radio power?
5 _______________________________________________________________________
220
WLAN OPTIMIZATION
Improving airtime and battery utilization
Proxy ARP
– Controllers and APs generate ARP VLAN 10
221
WLAN OPTIMIZATION
QoS Support
222
WLAN OPTIMIZATION
Load Balancing
Load
– The number of users on an
AP/channel/frequency band and throughput
generated across the WLAN.
– Configured per WLAN and per AP
223
WLAN OPTIMIZATION
Roaming assist
Roaming Assist
– APs monitor clients and force-roam them
– Flexible criteria and filters to adjust aggressiveness
– Puts WLAN Admin & WLAN Designer back in control
– Configured via roaming-assist-policy (per WLAN or per radio)
224
224
WLAN OPTIMIZATION FEATURES
Module recap
225
MESH FEATURES
Absolutely wireless
MESH FEATURES
Module Intro
227
WING5 MESH
Overview
229
MESHCONNEX MESH
How MCX works – Self-forming
Internet
AP7 AP6
Link Quality
AP1 AP4
Path Metric
230
MESHCONNEX MESH
How MCX works – Self-healing
Internet
AP7 AP6
AP1 AP4
231
MESHCONNEX MESH
Opportunistic Rate Link Adaptation (ORLA)
232
MESHCONNEX MESH
How hard is it to set up?
233
MESHCONNEX MESH
How hard is it to manage?
234
MESH FEATURES
Check your understanding
There are ___ mesh options available: ______-Hop MiNT mesh and _________ mesh
1
Does MCX provide scalability, reliability, self-healing and optimal performance in Virtual
4 Controller network? _______________________________________________________
235
MESH FEATURES
Module recap
236
PART 2 SUMMARY
What you have learned:
Wireless LANs
Captive Portals
WLAN Optimization Features
Mesh
Was is useful?
238
SECURITY
FEATURES
Distributed Wireless Protection
SECURITY FEATURES
Module Intro
240
SECURITY
Wireless threats – are they the same as wired?
2 Hotspot phishing
3 Exploiting known
Protected infrastructure
segment vulnerabilities
Mobile user
INTERNET 4 Encryption hacks
Scouting
VLAN - wireless
Mobile users
WAN
2 Evil Twin
4 Denial of
VLAN - wired Service
1 Rogue AP
1 Rogue station
LAN<->WLAN bridging
2 Accidental/malicious association
Bypassing enterprise security Public hotspot
241
SECURITY
WiNG5 Security Features
–
netmask = /24
VMs running on the client Lease Time = 691200 seconds
-------------------------------------------------------------------------------
– Loops Snoop Binding <192.168.10.102, 00-13-02-2E-78-82, Vlan 10>
Type dhcp-client, Touched 2229 seconds ago
– Multiple subnets on the same VLAN Mint ID: 70.e6.98.1c
router ip #1 - 192.168.10.1
– Secondary IP addresses dns ip #1 - 192.168.10.6
netmask = /24
– ICMP redirects, VRRP, etc… Lease Time = 691200 seconds
-------------------------------------------------------------------------------
244
FIREWALL FEATURES
IP / MAC Conflict Detection Trusts
Each physical port and WLAN can be configured to trust or un-trust ARP
and DHCP packets and drop suspicious packets
– ARP Trusted / Un-trusted
• ARP inspection and spoofing protection off /on
– DHCP Trusted / Un-trusted
• Will allow / block DHCP offers and ACKs received
• Implies valid DHCP server is present/absent
This is in addition to firewall policy
– service pktcap on drop will show “DHCP request to untrusted
destination”
245
STATEFUL PACKET INSPECTION
Overview
Mobility-aware
– Maintains state of TCP, UDP and ICMP flows
as they traverse the Controllers or APs
– All flows are migrated as Wireless Clients
roam (with re-evaluation)
246
STATEFUL PACKET INSPECTION
ACLs
Each ACL must contain one or more permit rules for traffic to be forwarded:
– Each rule is inspected in order of preference
– The first rule to match the flow is used
– Each ACL includes implicit “deny any any” rule at the end
• Empty ACL is equivalent to “allow any any”
248
STATEFUL PACKET INSPECTION
Enhanced L3 Firewall GUI
249
249
STATEFUL PACKET INSPECTION
DNS support
250
STATEFUL PACKET INSPECTION
Deep Packet Inspection (DPI) / Application Visibility and Control (AVC)
251
FIREWALL FEATURES
Role-Based Firewall (Role-Based Access Control)
254
WIRELESS IPS
Onboard “Enhanced” WIPS
Provides
– Smart Part Time Scanning
– Rogue AP Detection (wired and wireless)
– Mitigation and Rogue termination (wireless Device
only)
– Device Categorization (Neighbour, Interferer,
Rogue)
– 32 Signatures RF Domain
– Custom Signatures
– Logging and Reporting (incl PDF)
WIPS
Enabled via WIPS Policies: Policy
255
WIRELESS IPS
Logging and Reporting
256
WING5 WIPS COMPARISON
257
FIREWALL AND IPS
How do I find what’s blocked?
service pktcap on drop
– Any drop reasons, including destination unreachable, DHCP trusts, CRC errors, etc
– Can direct packets to external FTP log file or Wireshark (discussed later)
more system:/proc/dataplane/drops
– Aggregated drop statistics
service pktcap on deny [acl-name <name>]
– Packets denied by specific ACL
ACL logging
– acl-logging (firewall policy) forward ACL drop messages to syslog
– ACL “log” action (individual ACL rule) – log interesting traffic
– Not shown in default Event History
– Tons of traffic generated – better use external syslog and disable when not used
258
FIREWALL
Check your understanding
Is the firewall enabled or disabled by default? How do you check which features are
1 enabled by default? Do you want to disable firewall completely ever?
_______________________
Which of these features require a license: DPI/AVC ___ , WIPS ___ , RBAC ___ ,
2 DNS/OpenDNS filtering ___ , Web filtering ___ ?
How can you automatically disassociate wireless clients that attempt port scans?
4 _______________________________________________________________________
Which rule is implicitly placed at the end of any MAC/IP ACL? What about empty ACL?
5 _______________________________________________________________________
What types of Rogue Detection and Termination are supported by the onboard WIPS?
6 _______________________________________________________________________
What would you want to do in your network before enabling Storm Controls?
7 _______________________________________________________________________
260
SECURITY FEATURES
Module recap
261
WAN FEATURES
Connecting sites w/o third-party equipment
262
WAN FEATURES
Module Intro
263
WAN
Backhaul Features
L3 over L3: IPsec VPN
– Encapsulates and forwards IPv4 traffic over an encrypted tunnel
– Flexible traffic selection via ACL Data Center
– Dead peer detection and failover (CRM support), NAT and NAT-T
support
– Widely supported by third-party routers, VPN gateways and
firewalls
– Complex to configure compared to L2TPv3
L2 over L3: L2TPv3
– Simpler to set up than IPsec, but less flexible
– Encapsulates and forwards layer 2 traffic over a encrypted or un-
encrypted tunnel
– Allow tunneling selected VLANs (can bridge or route traffic)
– Multiple establishment and failover options, CRM support
– Widely supported by third-party routers and concentrators
L2 over L3: L2 MiNT Links
– Allow tunneling selected VLANs (can bridge or route traffic)
– Can be easily set up in secure manner with Auto IPsec Secure
• Including through intermediate VPN gateway and NAT
– Failover supported via RF Domain Manager mechanism Remote Site
– A lot easier to set up and maintain that IPsec and L2TPv3, but
proprietary
PPPoE support with IPsec and NAT
264
264
WAN
Auto IPsec Secure – Automated VPN
pool1=<controller-hostname>,<controller-hostname>;ipsec-secure-group1=<vpn-gw-hostname>;level=2
265
265
WAN
Intelligent forwarding
Routing
– Static, RIPv2, OSPFv2, eBGPv4
– IPv4 and IPv6 support
Policy Based Routing
– Route traffic not just on next-hop,
but using the full power of ACLs
Split Tunnelling
– Selectively choose what goes into
tunnels based on ACL
– L2NAT – split tunnelling for L2 traffic
NAT
– Source/destination, static/dynamic
NAT and PAT.
– NAT for IPsec traffic
Rate limiting
– Physical links, Tunnelled VLANs,
Tunnels (L2TPv3)
266
WAN
High Availability options
267
WAN FEATURES
Check your understanding
What does Auto IPsec secure allow? Can it be deployed “out of the box”?
4 _______________________________________________________________________
Haw can you ensure that APs are not lost during adoption due to pushing new config that
5 erases their network settings? _______________________________________________
At least how many possible WAN scenarios can be implemented using the options
7 above? _________________________________________________________________
269
WAN FEATURES
Module recap
270
EFFICIENT
MANAGEMENT AND
OPERATIONS
Tips & tricks
271
EFFICIENT MANAGEMENT AND OPERATIONS
Module Intro
Plan:
Discuss the topics.
No recap, we want more to raise awareness.
272
FIRMWARE
MANAGEMENT
And device upgrades
273
FIRMWARE MANAGEMENT
Can you do it efficiently and safely?
Automatic
– Auto Install
• Fetched from external TFTP server
via DHCP option
• Rarely used
– Auto-upgrade during adoption
• Works for APs and Controllers
• Configured on adopting controller
• SC will fetch the FW from CC or
local cluster member if needed
– Disable in production environment?
274
FIRMWARE MANAGEMENT
Example – AP RFDM
1
Device Upgrade initiated for the
remote RF Domain using the CLI
or Web-UI
2
4
Firmware
Firmware for
for the
the AP
AP 6532s
6521s is
is
transferred
transferred to
to the
the elected
elected RF
RF
Domain
Domain Manager
Manager forfor the
the remote
remote
DC Cluster site
site
RF Domain RF Domain
3
5
6
7
The
The elected
If selected RF
electedthe
RFRFDomain
Domain
Domain Manager
Manager
(an AP 6532)
upgrades
Manager the upgrades
reboots all theitself
AP 6532s
6521s withinlast
Access the
Site Cluster Site Cluster site
Points
(by at
default
the site
10and
at aitself
time)last
RF Domain
1
Device Upgrade initiated for the
remote RF Domain using the CLI
or Web-UI
DC Cluster
2
3
4
5
6
7
8
9
The
AfterRFDM
Once
The standby
Firmware
active upgrades
the active
for theand
downloads
and
successfully itself
the
active
RFS
Controller Standby
standby
the
Site
6000
upgrading
upgrades Site
Access
Site
the
Controller
Controllers
Point firmware
the Access
Access Pointsareare
are
Pointsback
from on-line,
the
automatically
transferred(by to the or
automatically
default the
10
Access
elected
at a time)
rebooted Points
Centralized
manually reset.
RF re-adopt
Controller.
Domain to thefor
The
The Manager
Access
active
Access
Points Site Controller.
Point
un-adopt.
the remote firmware is installed
site
on both Site Controllers
RF Domain RF Domain
RF Domain
276
FIRMWARE MANAGEMENT
Considerations
Recommended concurrent upgrades:
• Site Controller: <= 20
• RFDM AP: <= 10
• DC Controller: <= 128 cc#device-upgrade load-image ap6532
– Tune based on bandwidth http://172.16.20.99:8080/AP6532-5.5.0.0-055B.img
-------------------------------------------------
available CONTROLLER STATUS MESSAGE
-------------------------------------------------
dc Success Successfully initiated
“Lean” Controller images -------------------------------------------------
279
MASS MANAGEMENT/DEPLOYMENT
How do you deal with that?
Retail Scenario: 500 stores
– No site controller Store 1
192.168.100.0/22
– Each has own IP subnet, has to have 2 ACLs VLAN 10
–
192.168.103.0/24
Each has own on-site AAA proxies
– PSK, SSID differ per store Permit
…and then deploy another WLAN in all stores and edit ACLs
MASS MANAGEMENT/DEPLOYMENT
Overview
WiNG5 Delivers
– Configuration model
• Profile/override system itself
• Auto Provisioning wildcards
• Network object aliases: host IP/names, subnets, VLANs, flows (protocol/port),
etc…
• RF Domain overrides
– Operations
• CLI shortcuts
• Automation of file management operations
– Device upgrades / reboots, captive portal pages upload, etc
• Remote /distributed command execution (show … on …), debugging and packet
capture
281
ADOPTION
Auto-provisioning wildcards
Less is More:
– Shorter configuration, quicker deployments, improved scalability
ADOPTION
Match tags available for wildcards (most popular ones)
TAG Description
$FQDN Fully Qualified Domain Name substring or just the domain part
$DNS-SUFFIX ap001.site01.corp.com, *.site01.corp.com
$DHCP DHCP option 191 substring if ‘rf-domain’ tag is present
pool1=10.0.1.1;rf-domain=site001; level=2
$SN, $MODEL Exact Serial Number / Model match
$AUTO-RF-DOMAN RF Domain of the adopter
Syntax: $TAG[start character:end character]. Can you guess what these do?
test-$FQDN[4:6], test-$FQDN
test-$FQDN[4:], test-$FQDN[:4], test$-FQDN[:4]
st$DHCP-$FQDN[4:6]remote
Use different values for the same Alias for different sites
– On site1: ‘AAA-Servers’ = 172.16.1.111, 172.16.1.112’
– On site2: ‘AAA-Servers’ = 172.16.2.111, 172.16.2.112’
– Just put overrides in RF-Domains
284
FIREWALL ALIASES
Example: without aliases
IP ACL for Guest User Traffic that permits DHCP, DNS, HTTP, HTTPS and
IPsec traffic.
UDP
10 Permit Any Any No No Yes
Src:67 Dst:68
UDP
11 Permit 192.168.25.0/24 208.67.222.222 No No Yes
Dst: 53
UDP
12 Permit 192.168.25.0/24 208.67.220.220 No No Yes
Dst: 53
TCP
20 Permit 192.168.25.0/24 Any No No Yes
Dst: 80
TCP
21 Permit 192.168.25.0/24 Any No No Yes
Dst: 443
UDP
31 Permit 192.168.25.0/24 Any No No Yes
Dst: 500
UDP
32 Permit 192.168.25.0/24 Any No No Yes
Dst: 4500
285
285
FIREWALL ALIASES
Example: with aliases
UDP
11 Permit $GUEST-NET $DNS-SERVERS No No Yes
Dst: 53
Network Alias: $GUEST-NET Network Alias: $DNS-SERVERS Services Alias: $WEB Services Alias: $IPSEC
Network: 192.168.25.0/24 Host: 208.67.222.222 Idx Protocol Src Port Dst Port Idx Protocol Src Port Dst Port
Host: 208.67.220.220
1 TCP ANY 80 1 ESP ANY ANY
1 UDP 67 68
286
286
VLAN ALIASES
Overview
• SSID
SMART RF VLAN IDs
• WPA/WPA2 PSK or WEP key
• VLAN – VLAN mapping
• Status (enabled / shutdown)
– Firewall Objects WLAN RF WLAN
• Hosts, Subnets, Source VLANs, WPA/WP
A2 PSK Domain Shutdown
Protocols Ports
– VLAN IDs
• WLAN Tunnelling
• Bridge VLAN WLAN
WEP Key
WLAN
SSID
• L2TPv3 VLANs
WLAN
– SMART RF VLAN(s)
• Channel list
Minimize the amount of config objects
Simplify change management
288
MASS MANAGEMENT/DEPLOYMENT
The end result
IP-ACL: STORES-WLAN-IN
Total: 192.168.120.0/22
Overrides
VLAN 10
Store Server
192.168.120.10/24
289
EFFICIENT MANAGEMENT AND OPERATIONS
Module recap
290
WING5
TROUBLESHOOTING
TOOLKIT
How To Make It Work Again
WING5 TROUBLESHOOTING TOOLKIT
Module Intro
292
TROUBLESHOOTING
What can go wrong
293
TROUBLESHOOTING
Top rules of troubleshooting
How is it Where
How to fix
supposed did it go
it?
to be? wrong?
Assume Trust
nothing no one
Pay What is
attention normal?
294
LOGGING AND DEBUGGING
Logging setup
295
LOGGING AND DEBUGGING
WING5 Debugging Capabilities (only important ones)
Category Description and Subcategories
aaa Authentication, authorization, and accounting (RADIUS, etc)
adv-wips Advanced WIPS
ap AP (Adoption, Connect/Disconnect/Reset, Upgrade, etc)
captive-portal Captive Portal (Authentication, Clients, Sessions, State, etc)
certmgr Certificates Manager (Certificate Installed/Failed/Removed/etc)
cfgd Configuration Daemon (lots of subcategories)
cluster Clustering Module
crm Critical Resource Monitoring
dhcpsvr DHCP Server (Status, Interfaces, Leases, Relay)
diag Hardware Diagnostics
dot11 802.11 MAC Level events (Client Association/Disassociation, EAP, MAC, Kerberos, Voice, WPA, etc)
filemgmt File Management (Upload/Download/Copy/etc)
fwu Firmware Update
licmgr License Manager (License Installed, Removed, Invalid)
mesh Mesh (Links status, etc)
nsm Network Services Manager (Interface L2 and L3 status changes)
pm Process Monitor
radconf RADIUS Server Configuration and Status
radio Radio Modules Status and DFS
smrt SMART RF Related
system OS Status (Login, UI, Clock, etc)
296
ADVANCED DEBUGGING
Remote Debugging – Overview
297
ADVANCED DEBUGGING
Remote Debugging – CLI Command Syntax
Can be enabled on
298
ADVANCED DEBUGGING
Remote Debugging – Presentation
Console (default):
– Real-time (as soon as each filtered event is captured):
300
300
ADVANCED DEBUGGING
Remote Debugging – Clients and duration
301
301
ADVANCED DEBUGGING
Remote Debugging – Events
302
302
ADVANCED DEBUGGING
Remote Debugging – Sessions
303
303
ADVANCED PACKET CAPTURE
Overview
304
ADVANCED PACKET CAPTURE
Remote Packet Captures
305
ADVANCED PACKET CAPTURE
Capture Points (most important ones)
Multiple capture points and direction (in/out) can be specified in the same session:
Ex: capture on GE1, wireless, bridge and drop to see how the packets flow.
interface Packets transmitted / received over a physical interface, port channel, VLAN, etc
bridge Packets translated through the Ethernet bridge: LAN WLAN, WLAN WLAN, LAN LAN
Packets transmitted / received over Wireless LANs. (LAN WLAN, WLAN WLAN).
wireless
Presented as unencrypted Ethernet II frames.
radio Raw 802.11 frames transmitted / received over 802.11 radio. May be encrypted.
drop Packets dropped by the device, with drop reason: blocked by firewall, no route to host, etc.
306
306
ADVANCED PACKET CAPTURE
Filters
By default without any filters applied the first 50 packets from the capture
point will be matched!
307
307
ADVANCED PACKET CAPTURE
WING5 Capture Filters (only important ones)
308
ADVANCED PACKET CAPTURE
Sniffer Redirect
TZSP
309
TROUBLESHOOTING
GUI Tools
310
TROUBLESHOOTING
Crash information
311
311
TROUBLESHOOTING
When nothing helps
312
TROUBLESHOOTING
What is the key challenge of performance troubleshooting?
Investigate & Mitigate: Use specialized tools to investigate, analyse and ultimately fix
3 the problem
313
TROUBLESHOOTING
ADSP / nSight Toolset
314
WING5 TROUBLESHOOTING TOOLKIT
Check your understanding
What is the challenge with troubleshooting performance issues? Which tools can you
5 use? __________________________________________________________________
315
WING5 TROUBLESHOOTING TOOLKIT
Module recap
317
PART 2 SUMMARY
What you have learned:
WiNG Security Features
WAN Features
Efficient Management and Operations
Mass Management
WiNG Advanced Troubleshooting
Was is useful?
319
WLAN DESIGN CONSIDERATIONS
Objectives and Plan
Plan
Discuss
Extended discussion if we have more time
Things to reflect upon
Wrap up
320
WLAN DESIGN
What is the goal of the design process?
What are the typical WLAN requirements? Can you list a few?
____________________________
____________________________
____________________________
____________________________
____________________________
____________________________
321
WLAN DESIGN
Key choice: coverage or capacity?
Coverage Capacity
322
WLAN DESIGN
Typical WLAN design approach – can you do it?
324
WLAN DESIGN
How to calculate the number of cells required?
Consider
– How many AP8132 (802.11n, 3x3:3, dual-radio) are needed to support
– 100 clients each requiring 2Mbps (video streaming)
Easy answer
– Calculate AP capacity, divide by client bandwidth requirements
– AP8132: 3 Spatial steams = 450Mbps per radio = 900 Mbps per AP
– 900Mbps / 2Mbps = 450 clients per AP ==> 1 AP is more than enough
Correct answer
– …is a question
– …that requires a lot of understanding
325
WLAN DESIGN
How is L2 affected by L1?
Different
FSPL is
SNR and WLAN
different, Multipath,
minimum Rx adapter/antenn Power
materials fading,
Sensitivity a design = asymmetry
behave interference
requirements different Rx
differently
Sensitivity
327
WLAN DESIGN CONSIDERATIONS
Adjusted WLAN design approach – can you do it?
340
WLAN DESIGN
One thing to remember
There is
MORE
than
meets the 342
WLAN DESIGN CONSIDERATIONS
Check your understanding
Example things to reflect upon. Can you answer these questions?
– How many times is 20dBm signal stronger than 10dBm signal?
– You have an isotropic radiator. You measure RSSI at distances of 5m, 10m, 50m and 100m
from the source. How is signal loss (in dB) at a segment of 5m to 10m related to loss on a
segment from 50m to 100m?
– What happens when you mount an AP on a metallic surface?
– Customer is reporting RSSI at the client at +10dBm What do you think of this?
– You are doing a site survey in the warehouse, where the signal is consistently > -30dBm
and there are at least 14 APs seen from any point of the building. The heatmap is solid
green, but the network is slow and unstable. Why?
– What is the key difference is channel planning between DSSS and OFDM channels?
– Why would you want to hang an antenna upside down?
– What is the minimal recommended omni antenna separation from pillars, walls and
columns? Can you calculate/estimate it?
– Describe the difference in antenna patterns of ceiling-mount vs wall-mount patch antenna.
– Describe precisely the boundaries of a collision domain in WLAN. Why is that important?
– Describe precisely the boundaries of a broadcast domain in WLAN. Why is that important?
– How is WLAN threat model different from LAN threat model? How can traditional LAN
security tools protect from WLAN-specific threats?
– What happens to multicast in 802.11 networks? How does this affect video and audio
broadcasting over WLAN?
– Why is there so much special attention to Bonjour protocol when using WLANs?
343
WRAP UP
The End is Near…
351
WRAP UP
Check your learning
Explain all key WING5 characteristics without using the documentation
Explain how all core WiNG5 features work using the student guide
Deploy all standard configurations covered in course using documentation
90%+ of what is typically encountered in the field
Configure other WiNG5 features using WiNG HOW-TOs
Describe advanced WiNG5 features using the study guide
Explain, follow and deploy WING5 best practices and reference designs
Explain the key WLAN design challenges and caveats
Troubleshoot any configuration you have built using available aids
352
WRAP UP
Key information sources
354
SUMMARY TO ALL SUMMARIES
You are now in control of WING5!
You’re awesome!
356
THANK YOU
357