Beruflich Dokumente
Kultur Dokumente
NETWORKING PROFESSIONAL
(ACNP)
Introductions
Facilities Discussion
Course Material
Distribution
Course Times
Restrooms
Break room
Smoking Area
Break Schedule
Morning Break
Lunch Break
Afternoon Break
2013 Aerohive Networks CONFIDENTIAL
2 Day Hands on
http://www.aerohive.com/techdocs
Second-level course
Aerohive
Employees
10
11
Aerohive Forums
Please, take a moment and register during class if you are not
already a member of HiveNation.
Go to http://community.aerohive.com/aerohive and sign up!
12
Aerohive Social
Media
The HiveMind Blog:
http://blogs.aerohive.com
Follow us on Twitter: @Aerohive
Instructor: David Coleman: @mistermultipath
Instructor: Bryan Harkins: @80211University
Instructor: Gregor Vucajnk: @GregorVucajnk
Instructor: Metka Dragos: @MetkaDragos
Please feel free to tweet about #Aerohive
training during class.
13
We also provide
service
toll-free from within the US & Canada by dialing (866)
365-9918. Aerohive has Support Engineers in the US,
China, and the UK, providing coverage 24 hours a day.
2013 Aerohive Networks CONFIDENTIAL
14
Copyright 2011
internationally
World customers defective
16
Copyright 2011
Copyright Notice
17
QUESTIONS?
19
Aerohive Switching
Platforms
SR2024P
SR2124P
SR2148P
48 Gbps
Ethernet
48 PoE+ (779
W)
24 Gigabit Ethernet
24 PoE+ (195 W)
24 PoE+ (408 W)
Switching Only
56Gbps switching
Single Power Supply
20
Copyright 2011
SR2024
Internet
SR20
24
3G
/4
G
LT
E
Client Visibility
View client information
by port
RADIUS Server
Internet Router
DHCP Server
USB 3G/4G Backup
Policy-based routing with Identity
2013 Aerohive Networks CONFIDENTIAL
AP
PoE
AP
AP
RF Planner
Topology
Reporting
SLA Compliance
Heat Maps
Express Mode
Enterprise Mode
Enterprise sophistication
Multiple Network policies
Multiple user profiles/SSID
HiveManager Appliance 2U
power&&fans
Redundant power
fans
HA redundancy
5000
8000 APs
HiveManager Online
Cloud-based SaaS management
Guest Mgmt
Se
U am
pg le
Pa rad ss
th e
In
de cre
p as
In nt loym ing
cr siz e
e
n
co et as e
w
m o ing
pl rk
ex
ity
22
HiveManager Appliance
23
HiveManager Databases
24
BR 200
Single Radio
1x1 11bgn
AP
330
VPN
Gateways
AP
350
Dual Radio
L3 IPSec
VPN
Gateway
5-10 Mbps
FW/VPN
30-50Mbps FW/VPN
5X 10/100
5X
10/100/1000
2X 10/100/1000 Ethernet
0 PoE PSE
2X PoE PSE
0 PoE PSE
~500
Mbps
VPN
4000/1024
Tunnels
Physical/Vi
rtual
25
Copyright 2011
BR200/BR200WP
5x FastEthernet
5x Gigabit Ethernet
No integrated PoE
No console port
Console Port
No Spectrum Analysis
No SNMP logging
SNMP Support
26
Aerohive AP Platforms
AP121
AP141
AP330
AP350
Indoor
Industrial
Indoor
Dual Radio 802.11n
2x2:2
300 Mbps High
Power Radios
1X Gig.E
Plenum Rated
0 to 40C
USB for future use
AP230*
AP370
Indoor
AP170
Indoor
Industrial
Outdoor
3x3:3
450 Mbps High Power
Radios
AP390
2X Gig E
/w PoE Failover
Dual Radio
802.11n
2x2:2 300
Mbps 11n
High Power
Radios
1X Gig.E
PoE (802.3at)
Plenum Rated
Plenum/Plenum
Dust Proof
0 to 40C
-20 to 55C
-40 to 55C
N/A
1024 Tunnels
9999
1024
256
28
DHCP server
Use a VPN Gateway Appliance instead of an AP when higher
scalability for these features are required
Function
Scale
VPN Tunnels
4000 Tunnels
9999
1024
256
29
QUESTIONS?
Lab Infrastructure
Core
HiveManager
Router
VLAN 1
ip address
VLAN 2
ip address
VLAN 8
SR20
ip address
24
VLAN10
ip address
Distribution
Instructor Space
Student Space
SR20
24
Access
PoE
PoE
AP
PC
Student 2
2013 Aerohive Networks CONFIDENTIAL
AP
PC
Student X
31
10.100.1.1/24
10.100.2.1/24
10.100.8.1/24
10.100.10.1/24
SWITCHING
32
TRAINING LAB 1
https://training-hm1.aerohive.comhttps:/
/72.20.106.120
TRAINING LAB 2
https://training-hm2.aerohive.com
https://72.20.106.66
TRAINING LAB 3
https://training-hm3.aerohive.com
https://209.128.124.220
TRAINING LAB 4
https://training-hm4.aerohive.comhttps
://203.214.188.200
TRAINING LAB 5
https://training-hm5.aerohive.comhttps://
209.128.124.230
Supported Browsers:
Firefox, Internet Explorer, Chrome, Safari
Go to
Configuration
34
Name:
Access-X
Check the options
for
Wireless
Access
Switching
Bonjour
Gateway
Click Create
35
Internet
3G
/4
G
LT
E
3G
/4
G
LT
E
BR10
0
BR20
0
Po
E
Po
E
sh
e
M
AP
AP
Switching
Used to manage wired traffic using Aerohive Switches
Internet
SR2024
AP
PoE
AP
2013 Aerohive Networks CONFIDENTIAL
AP
37
Network
Configuration
Next to SSIDs click
Choose
Then click New
38
39
40
Name:
Employee-X
Attribute
Number:10
Default VLAN:
From the drop down box,
Select Create new
VLAN,
type:10
Click Save
41
Ensure
Employee-X
User Profile is
highlighted
Click Save
42
43
44
Spanning Tree
Easy to solve, right?
Just disconnect one cable
But now there is no redundancy
Have no fear!
There was once a loop to be,
In a redundant path for everyone to
see.
The packets went round and round,
Until a new sheriff was found.
His name? Well, Spanning Tree!
46
Spanning Tree
So what does the Spanning Tree
Protocol (STP) do?
High level overview:
I am root!
1. All interfaces are blocked (for non STP
traffic) while the switches elect a root
bridge (switch)
Root doesnt
have to
calculate
Speed 1Gbit
Cost: 20,000
47
Speed
100Mbit
Cost:
200,000
49
50
51
52
53
54
55
DEVICE TEMPLATES
FOR DEFINING SWITCH PORT
SETTINGS
56
Device Templates
HiveManager Device Templates
are used to assign switches at
the same or different sites to a
common set of port
configurations
Access/Edge
SR20
24
SR20
24
PoE
PoE
AP
2013 Aerohive Networks CONFIDENTIAL
AP
AP
AP
57
Device Templates
Device templates are
used to define ports for
the same device,
devices with the same
number of ports, and
device function
Device templates do not
set device function, i.e.
switch, router, or AP, but
will only match devices
configured with the
matching function
You configure a devices
function in the device
specific configuration
2013 Aerohive Networks CONFIDENTIAL
Apply to SR2024
switches
configured as routers.
Requires WAN port
58
Device Templates
For Devices Requiring Different Port
Settings
SR2024 as Switch
Default Sites
SR2024 as
Switch
Small Sites
AP
1. Configure device
classification tags to have
different device templates
for different devices
2. Create a new network
policy with a different device
template
SR20
SR20
24
PoE
24
AP
Note: The switch model (2024) used in the lab has been superseded by improved
59
2013 Aerohive Networks CONFIDENTIAL
models.
CONFIGURE DEVICE
TEMPLATES
FOR DEFINING SWITCH PORT
SETTINGS
60
Next to Device
templates, click
Choose
Click New
61
Name:
SR2024-DefaultX
Click Device
Models
Select SR2024
Click OK
For SR2024, when
functioning as:
Select Switch
Note:
Note: Here
Here you
you are
are not
not setting
setting the
the SR2024
SR2024
Click
Save
to
to function
function as
as aa switch.
switch. Instead,
Instead, you
you are
are
Note: You only see switch as an option
and not Switch and Router, because Routing
was not enabled in the selection box when
creating this Network Policy.
2013 Aerohive Networks CONFIDENTIAL
only
only specifying
specifying that
that this
this template
template applies
applies to
to
SR2024s
when
they
are
configured
to
SR2024s when they are configured to
function
function as
as aa switch.
switch. The
The switch/router
switch/router
function
function is
is configured
configured in
in switch
switch device
device
settings.
settings.
62
63
64
LINK AGGREGATION
65
Lab Infrastructure
SR20
24
PC
Lab Infrastructure
SR20
24
AP
PC
67
Lab Infrastructure
Distribution
Switch 2
Aggregate 1
SR20
24
AP
PC
68
AGGREGATION
CONFIGURATION EXAMPLE
69
HMOL
Distribution
Aggregates
Access
SR20
24
AP
71
Copyright 2011
72
Ensure that
Trunk-X is
selected, click OK
73
74
Click Configure
For choose port type, select your
802.Q trunk that you created
previously: Trunk-X
Click OK
75
76
77
78
3CX IP PBX
10.100.1.?
Core
HMOL
Distribution
Access
SR20
24
PoE
PC
80
Copyright 2011
81
82
83
Lab Infrastructure
HMOL
Distribution
Access
SR20
24
PoE
AP
IP Phones
AP
84
85
Copyright 2011
Click New
Name: AP-Trunk-X
Port Type: 802.1Q
QoS Classification:
Trusted Traffic
Source
Note: This means we
are trusting the
upstream network
infrastructure
markings
Map to DSCP or
802.1p
QoS Marking:Map
Aerohive..
Map to DSCP or
802.1p
Click Save
2013 Aerohive Networks CONFIDENTIAL
86
87
88
CONFIGURE POWER
SOURCING EQUIPMENT (PSE)
PORTS FOR POWER OVER
ETHERNET (POE)
89
PoE Overview
90
PoE Overview
91
SR2024P
24 PoE+ (195 W)
SR2124P
24 PoE+ (408 W)
SR2148P
48 PoE+ (779
W)
92
93
94
95
96
NOTE: You will only see the Interfaces(Ports) that have been
assign to a port type
2013 Aerohive Networks CONFIDENTIAL
97
98
99
Lab Infrastructure
HMOL
Distribution
Access
SR20
24
PoE
AP
IP
s
ne
o
h
AP
100
101
102
Copyright 2011
Click New
2013 Aerohive Networks CONFIDENTIAL
103
104
105
106
107
Lab Infrastructure
HMOL
Distribution
Access
SR20
24
PoE
AP
Guest
Computers
IP Phones
AP
108
109
Copyright 2011
Click New
2013 Aerohive Networks CONFIDENTIAL
110
Name: Guest-X
Port Type: Access
Most likely you will
not be trusting the
DSCP settings on
guest devices, so
click Untrusted
Traffic Sources
There is no need to
mark the traffic for
QoS marking
Click Save
111
112
113
114
Lab Infrastructure
HMOL
Distribution
Access
SR20
24
PoE
AP
Employee
Computers
802.1X
IP Phones
AP
115
116
Copyright 2011
Click New
117
118
119
120
121
122
Copyright 2011
Click New
Name: Mirror-X
Port Type: Mirror
Click Save
123
124
125
126
127
128
129
130
Click Here
If you move
your mouse
over one of
the defined
ports, an
option appears
to select all
ports using
this port type
131
132
133
134
Name: Guest-X
Attribute: 100
Default VLAN: 8
Click Save
2013 Aerohive Networks CONFIDENTIAL
Ensure Guest-X is
selected
Click Save
Verify your
settings
136
137
138
139
140
141
Port Types
There are three user profile
assignment methods:
1. (Auth) Default If a
client authenticates
successfully, but no user
profile attribute is
returned, or if a user
profile attribute is
returned matching the
default user profile
selected
2. Auth OK If a client
authenticates
successfully, and a user
profile attribute is
returned, it must match
one the selected user
profiles you select here
2013 Aerohive Networks CONFIDENTIAL
142
143
144
145
146
147
148
IP Phone
Switch
Data
149
IP Phone
Switch
Data
You can then select a Default Voice, and Default Data user profile
The Phone & Data port is an 802.1Q port
The Phone VLAN will be tagged and sent to the IP phone via LLDP-MED
The switch port will assign the Data VLAN as the native VLAN
This way, the phone traffic is tagged, and data traffic is untagged
2013 Aerohive Networks CONFIDENTIAL
150
interface
interface
interface
interface
interface
interface
interface
interface
interface
eth1/3
eth1/3
eth1/3
eth1/3
eth1/3
eth1/3
eth1/3
eth1/3
eth1/3
151
152
SR2024
Employee
s
IP Phone
Data
Switch
153
SR2024
Employee
s
IP Phone
Data
Switch
154
SR2024
Employee
s
IP Phone
Data
Switch
155
156
157
158
Create a
network
policy for
voice
159
Enter a name
for the voice
policy, and
click next
160
Click add to
specify a
condition
161
Select
Windows
Groups
Click Add
162
163
Click Next
164
Select
Access
granted
165
166
167
Remove
attributes that
are not needed:
Select FrameProtocol, and
Click Remove
Select ServiceType, and Click
Remove
168
169
Under RADIUS
Attributes, select
Vendor Specific
170
171
172
Under
Vendor,
Select
Cisco
173
Click Add
Click Add again
174
175
Attribute value:
device-trafficclass=voice
Click OK
Click OK
Click Next
176
Click
Finish
177
178
Create a new
policy for
employee access
Policy name:
Wireless or Wired
Employee Access
179
Click Next
2013 Aerohive Networks CONFIDENTIAL
180
181
182
Port Types
183
184
Click Auth OK
(Voice)
Click New
185
186
187
188
189
190
191
192
193
194
Verify
Settings
195
196
UPDATE DEVICES
197
198
199
Click Yes
200
Select Update
Devices
Select Perform a
complete
configuration
update for all
selected devices
Click Update
201
Click OK
2013 Aerohive Networks CONFIDENTIAL
202
QUESTIONS?
204
205
206
QUESTIONS?
208
Internet
ESXi Server
- HM VA
Distribution
Access
SR20
24
PoE
AP
Ethernet
Wi-Fi
Hoste
d PC
210
211
to send a
212
213
Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
Click your SSID
Class-PSK-X
Click Connect
Security Key:
aerohive123
Click OK
2013 Aerohive Networks CONFIDENTIAL
214
215
QUESTIONS?
217
Internet
ESXi Server
- HM VA
Distribution
Access
SR20
24
PoE
AP
Ethernet
Wi-Fi
Hoste
d PC
219
220
221
or
Disable then Enable
Local Area Connection 3
Do NOT Disable Local
Area Connection 2
2013 Aerohive Networks CONFIDENTIAL
222
223
224
225
In windows 7, you
must enable
802.1X support
As an
administrator, from
the start menu
type services
Then click
services
226
Click the
Standard tab
on the bottom
of the
services panel
Locate Wired
AutoConfig
and right-click
Click
Properties
227
Click Automatic
Click Start
229
Click OK
230
231
232
233
SR04866380#showauthinteth1/12
AuthenticationEntities:
if=interface;UID=UserprofilegroupID;AA=Authenticator
Address;
if=eth1/12;idx=16;AA=08ea:4486:638c;Securityobj=Secure2;
defaultUID=1;
Protocolsuite=802.1X;Authmode=portbased;FailureUID=100;
DynamicVLAN=10;
No.SupplicantUIDLifeStateDevTypeUserName
Flag
0000c:2974:aa8e100donedataAH
LAB\user4000b
234
2013 Aerohive Networks CONFIDENTIAL
235
236
MISC MONITORING
237
Switch Monitoring
MonitorSwitches
Click on the hostname
of the switch
238
Switch Monitoring
Hover with your mouse over the switch ports
239
Switch Monitoring
System Details
240
Switch Monitoring
Port Details and PSE Details
241
242
Switch Monitoring
MonitorActive ClientsWired Clients
Add User Profile Attribute, and move it up, it is useful
243
Switch Monitoring
Click on the MAC address for a wired client to see
more information
244
Switch Monitoring
UtilitiesStatisticsInterface
245
Switch Monitoring
UtilitiesDiagnosticsShow PSE
246
VLAN Probe
NOTE: If you get the same IP subnet for each of the VLANs, that is a sign that
the switch uplink port is connected to an access port, not a trunk port like it
should be.
2013 Aerohive Networks CONFIDENTIAL
247
Client Monitor
Tools Client Monitor
Client Monitor can be used to troubleshoot 802.1X/EAP
authentication for wired clients
248
Switch CLI
SR-02-66ec00#show interface switchport
Name: gigabitethernet1/1
Switchport: enable
Port Mode: access
Port Mirror: disable
Port User-profile ID: 0
Static Access VLAN: 1
Dynamic Auth VLAN: 0
Name: gigabitethernet1/2
Switchport: enable
Port Mode: access
Port Mirror: disable
Port User-profile ID: 10
Static Access VLAN: 10
Dynamic Auth VLAN: 0
2013 Aerohive Networks CONFIDENTIAL
249
Switch CLI
showclientreportclient
250
GENERAL SWITCHING
251
Storm Control
252
255
256
257
Copyright 2011
258
Enter
Switch-X
Notes Below
Click Create
259
260
To view certificates,
go to:
Configuration, click
Show Nav
Then go to Advanced
Configuration
Keys and Certificates
Certificate Mgmt
The certificate and key file
name is:
switch-X_key_cert.pem
QUIZ
Which CA signed this
Aerohive switch server key?
What devices need to install
the CA public cert?
2013 Aerohive Networks CONFIDENTIAL
261
QUESTIONS?
From Configuration,
Select your Network policy:
Access-X
Click OK and then Continue
263
264
Copyright 2011
265
Name: SR-radius-X
Expand Database
Settings
Uncheck Local
Database
Check External
Database
Under Active
Directory, click + to
define the RADIUS
Active Directory
Integration Settings
2013 Aerohive Networks CONFIDENTIAL
266
Name: AD-X
Aerohive device for Active Directory connection setup,
select your Switch: SR-0X-#####
This will be used to test Active Directory integration
Once this switch is working, it can be used as a template for configuring
other Aerohive device RADIUS servers with Active Directory integration
The IP settings for the selected Aerohive switch are gathered and
displayed
2013 Aerohive Networks CONFIDENTIAL
267
268
Domain: ah-lab.local
Click Retrieve Directory Information
The Active Directory Server IP will be populated as
well as the BaseDN used for LDAP user lookups
2013 Aerohive Networks CONFIDENTIAL
269
270
271
Click Save
272
273
274
275
276
12 =
Netmask: 255.255.255.0
2013 Aerohive Networks CONFIDENTIAL
277
Click Save
NOTE: Your
Aerohive switch will
have an icon
displayed showing
that it is a RADIUS
server.
278
QUESTIONS?
280
281
Profile Name:
Class-AD-X
SSID:
Class-AD-X
Under SSID
Access Security
select
WPA/WPA2
802.1X
(Enterprise)
Click Save
2013 Aerohive Networks CONFIDENTIAL
282
Copyright 2011
Ensure
Class-AD-X is
highlighted then
click OK
Click to deselect
the Class-PSK-X
SSID
Ensure the
AD-X SSID
is selected
Click OK
Click to
deselect
Class-PSK-X
2013 Aerohive Networks CONFIDENTIAL
283
Click
Click
2013 Aerohive Networks CONFIDENTIAL
284
RADIUS Name:
SWITCH-RADIUS-X
IP Address/Domain
Name: 10.5.1.7X
02 = 72, 03 = 73
12 = 82, 13 = 83
Leave the Shared
Secret Empty
Click Apply
When Done!
Click Apply
Click Save
2013 Aerohive Networks CONFIDENTIAL
285
286
Authentication Tab
In the
Authentication tab
Authentication Tab
Select (highlight)
Employee-X
NOTE: The (User
Profile Attribute) is
appended to the
User Profile Name
Click Save
288
289
290
Select Update
Devices
Select Perform a
complete
configuration
update for all
selected devices
Click Update
291
Click OK
2013 Aerohive Networks CONFIDENTIAL
292
QUESTIONS?
294
295
296
297
298
In the Certificate
Import Wizard click
Next
Click Place all
certificate in the
following store
Click Browse
299
300
Click Finish
Click Yes
Click OK
301
302
303
QUESTIONS?
305
306
After associating with your SSID, you should see your connection in
the active clients list in HiveManager
Go to MonitorClientWireless Clients
IP Address: 10.5.1.#
User Name: DOMAIN\user
VLAN: 1
NOTE:
NOTE: User
User Profile
Profile Attribute
Attribute is
is the
the Employee-Default-1
Employee-Default-1 user
user
profile
profile for
for the
the SSID.
SSID. This
This user
user profile
profile is
is being
being assigned
assigned
because
because no
no User
User Profile
Profile Attribute
Attribute Value
Value was
was returned
returned from
from
RADIUS.
RADIUS.
2013 Aerohive Networks CONFIDENTIAL
307
QUESTIONS?
309
In your Network policy, you defined an SSID with two user profiles
Employees(1)-1 Set if no RADIUS attribute is returned
This use profile for example is for general employee staff, and they
get assigned to VLAN 1
310
311
313
Select Update
Devices
Select Perform a
complete
configuration
update for all
selected devices
Click Update
For this class, ALL
Updates should
be Complete
configuration
updates
314
Click OK
2013 Aerohive Networks CONFIDENTIAL
315
316
317
QUESTIONS?
AEROHIVE SWITCHES AS
BRANCH ROUTERS
319
SR20
24
3G
/4
G
LT
E
AP
PoE
Client Visibility
View client information by port
RADIUS Server
Routing between local VLANs
Layer 3 IPSec VPN
NAT for Subnets through VPN
NAT port forwarding on WAN
DHCP Server
USB 3G/4G Backup
and more
AP
AP
321
From Configuration,
Next to your Network policy: Access-X
Click the sprocket icon
Click Edit
2013 Aerohive Networks CONFIDENTIAL
322
323
324
Next to Device
Templates, click
Choose
Select your
SR2024Default-X
device template
(configured as
switch)
Click the
sprocket icon
Click Clone
2013 Aerohive Networks CONFIDENTIAL
325
326
Name: SR2024-RouterDefault-X
Change the function to Router
Click Save
2013 Aerohive Networks CONFIDENTIAL
327
328
329
BR200-WP
AP330 as Router
330
331
SR2024 as Branch
Router
WAN Port example
DSL
WAN
Backup 1
3G
/4
G
LT
E
USB Wireless
WAN
Backup 2
When the switch is a router, you must configure at least one port as a WAN port
Click
Configure
333
Click New
Name: WAN-X
Select WAN
Click Save
With WAN-X selected, click
OK
334
The USB Port, Port 23, and Port 24 will now display a WAN
(Cloud) icon (USB does not display cloud icon in this version of code)
The
The ports
ports will
will
display
display aa WAN
WAN
(Cloud)
(Cloud) icon
icon
335
336
Switch Settings:
These will be
configured later.
337
PORT TYPES
338
339
VLAN-TO-SUBNET
ASSIGNMENTS
FOR ROUTER INTERFACES
340
VLAN-to-subnet assignments
for router interfaces
If the network policy is configured with Routing, then for
every VLAN configured for SSIDs or port types, you must
define the IP subnets that will be assigned to the branch
routers or switches as branch routers
The VLANs are automatically populated from the VLANs
assigned to user profiles for SSIDs and port types
If you have additional VLANs to define, you can click Add
341
Network
10.102.0.0/
16
Cloud VPN
Gateway
Internet
BR10
0
BR10
0
Hosts
8 bits
256 or
branches
the first
last IP 256
in the
Note:
Note: HiveManager
HiveManager lets
lets you
you reserve
reserve the first or last IP in the
subnets
for
the subnet.
subnets as
as the
the default
default gateway
gateway
3 =for
253the subnet.
clients/branch
344
8 bits
IP Address in binary:
Netmask in binary:
8 bits
8 bits
00001010.01100110.00000000.00000000
X
11111111.11111111.11111111.00000000
IP Network
10.
102 .
Subnet
. 0
Hosts
10.102.0000000=0. 1-254
10.102.0000001=1. 1-254
10.102.0000010=2. 1-254
10.102.0000011=3. 1-254
10.102.0000100=4. 1-254
10.102.0000101=5. 1-254
10.102.0000110=6. 1-254
10.102.0000111=7. 1-254
10.102.0001000=8. 1-254
..
10.102.1111111=255.1-254
2013 Aerohive Networks CONFIDENTIAL
345
10.
102 . 0
IP Network Subnet
. 0
Hosts
9 bits =
7 bits
512 or
branches
Note:
last
in
Note: HiveManager
HiveManager lets
lets you
you reserve
reserve the
the first
first
or
last IP
IP 128
in the
the
clients/branch
subnets
subnets as
as the
the default
default gateway
gateway for
for the
the subnet.
subnet.
3 = 125
2013 Aerohive Networks CONFIDENTIAL
346
8 bits
IP Address in binary:
Netmask in binary:
9 bits
7 bits
00001010.01100110.00000000.10000000
X
11111111.11111111.11111111.10000001
IP Network
10.
102 .
Subnet
. 0
Hosts
10.102.0000000.0
10.102.0000000.1
10.102.0000001.0
10.102.0000001.1
10.102.0000010.0
10.102.0000010.1
10.102.0000011.0
10.102.0000011.1
10.102.0000100.0
0.0
1-126
0.128 129-254
1.0
1-126
1.128 129-254
2.0
1-126
2.128 129-254
3.0
1-126
3.128 129-254
4.0
1-126
..
10.102.1111111.1 = 255.128 129-2
=
=
=
=
=
=
=
=
=
347
Network
10.102.0.0/1
6
Cloud VPN
Gateway
Internet
BR10
0
BR10
0
349
350
Name: Net-Employee1XX
XX=02,03,..15,16
Web Security: None
DNS Service: Class
Network Type: Internal
2013 Aerohive Networks CONFIDENTIAL
351
NOTE:
NOTE: This
This Quick
Quick Start
Start DNS
DNS Service
Service object
object sets
sets
clients
clients to
to use
use the
the router
router interface
interface IP
IP as
as the
the DNS
DNS
server,
server, and
and will
will proxy
proxy the
the DNS
DNS requests
requests to
to the
the DNS
DNS
server
server learned
learned statically
statically or
or by
by DHCP
DHCP on
on the
the WAN
WAN
interface.
interface. Separate
Separate DNS
DNS servers
servers can
can also
also be
be used
used for
for
internal
internal and
and external
external domain
domain resolution.
resolution.
2013 Aerohive Networks CONFIDENTIAL
352
353
NOTE:
NOTE: This
This is
is the
the
parent
parent network
network that
that will
will
be
be partitioned
partitioned to
to create
create
a
a number
number of
of IP
IP subnets
subnets
determined
10.1XX.0.0/16
determined by
by moving
moving
the
the slider
slider bar.
bar. The
The slider
slider
bar
bar is
is used
used to
to set
set the
the
number
number of
of branches
branches vs.
vs.
clients
clients per
per branch
branch
which
which defines
defines the
the
subnet
subnet mask
mask for
for each
each
subnet.
subnet.
Move the slider bar to
select 256 branches and
253 clients per branch
2013 Aerohive Networks CONFIDENTIAL
Moving
Moving the
the slider
slider bar
bar changes
changes the
the
number
number of
of bits
bits in
in the
the subnet
subnet mask.
mask.
The
The clients
clients per
per branch
branch =
= 253
253 in
in this
this
case
case because
because 1
1 IP
IP is
is reserved
reserved for
for the
the
router,
router, and
and then
then 0
0 and
and 255
255 are
are not
not
used.
used.
354
355
356
357
BR10
0
Internet
Site-1a
Site-1c
Site-1b
BR10
0
BR10
0
To define specific
subnets of the Local IP
address space to assign
to sites
Check Allocate
local subnetworks
by specific IP
addresses at sites
and click
IP Address: 10.1XX.1.1
(XX=01,02,03,..18)
Type: Device Tag
2013 Aerohive Networks CONFIDENTIAL
359
362
363
Network
10.101.0.0/1
6
Site-1c
BR10
0
Site-1a
BR10
0
BR10
0
365
366
367
368
369
NOTE:
NOTE: This
This is
is the
the
parent
parent network
network that
that will
will
be
be partitioned
partitioned to
to create
create
a number
number of
of IP
IP subnets
subnets
a
10.1XX.0.0/16
determined
determined by
by moving
moving
the
the slider
slider bar.
bar. The
The slider
slider
bar
bar is
is used
used to
to set
set the
the
number
number of
of branches
branches vs.
vs.
clients
clients per
per branch
branch
which
which defines
defines the
the
subnet
subnet mask
mask for
for each
each
subnet.
subnet.
Move the slider bar to select
256 branches and 253
clients per branch
Moving
Moving the
the slider
slider bar
bar changes
changes the
the
number
number of
of bits
bits in
in the
the subnet
subnet mask.
mask.
The
The clients
clients per
per branch
branch =
= 253
253 in
in this
this
case
case because
because 1
1 IP
IP is
is reserved
reserved for
for the
the
router,
router, and
and then
then 0
0 and
and 255
255 are
are not
not
used.
used.
370
371
Click Save
Ensure your policy is highlighted and click OK
2013 Aerohive Networks CONFIDENTIAL
372
HQ
Cloud VPN
Gateway
WAN:
Network 1.3.2.90
:
BR100
Guest
Use
Network 192.168.83.0/24 (Guest Use)
DHCP: IP Range 192.168.83.10
Internet 192.168.83.244
Default Gateway: 192.168.83.1
DNS: 192.168.83.1 (Router is DNS
WAN:
Proxy)
2.50.33.5
BR100
WAN:
2.1.1.20
2013 Aerohive
Networks CONFIDENTIAL
BR100
374
Name:
192.168.83.0Guest-X
Web Security: None
DNS Service: Class
Network Type to:
Guest Use
Guest Use Network:
192.168.83.0/24
DHCP Address Pool,
reserve the first 10
Check Enable
DHCP server
2013 Aerohive Networks CONFIDENTIAL
NOTE:
NOTE: Devices
Devices assigned
assigned to
to aa Guest
Guest Use
Use network
network
are
are restricted
restricted from
from access
access the
the corporate
corporate VPN
VPN or
or
from
from initiating
initiating communication
communication to
to corporate
corporate
devices
devices
375
Verify your
settings
Click Save
Click OK
376
377
378
379
380
Ensure
Class-PSK-X is
highlighted then
click OK
Click to deselect
the AD-X SSID
Ensure the
Class-PSK-X SSID
is selected
Click OK
381
Verify settings
Click Continue
382
CREATING FILTERS
383
384
386
387
388
389
390
NOTE:
NOTE: Check
Check Enable
Enable
NAT
NAT
391
392
Click Save
2013 Aerohive Networks CONFIDENTIAL
393
394
Select Update
Devices
Select Perform a
complete
configuration
update for all
selected devices
Click Update
395
Click OK
396
397
Network
10.102.0.0/1
6
Cloud VPN
Gateway
Internet
BR10
0
BR10
0
Note: One
subnet was
assigned via
classification
. The others
assigned
dynamically.
399
400
SHOW L3 INTERFACE
401
402
Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
Click your SSID
Class-PSK-X
Click Connect
Security Key:
aerohive123
Click OK
2013 Aerohive Networks CONFIDENTIAL
403
404
405
406
In windows 7, you
must enable
802.1X support
As an
administrator, from
the start menu
type services
Then click
services
2013 Aerohive Networks CONFIDENTIAL
407
Click the
Standard
tab on the
bottom of the
services
panel
Locate
Wired
AutoConfig
and rightclick
Click
Properties
2013 Aerohive Networks CONFIDENTIAL
408
Startup type:
Disabled
Click Stop
409
Click OK
410
Monitor/Clients/Operation
: Deauth Client
Check Clear Cache
Click OK
Click Yes
411
Monitor/Clients/Operation
: Deauth Client
Check Clear Cache
Click OK
Click Yes
412
or
Disable then Enable
Local Area Connection 3
Do NOT Disable Local
Area Connection 2
2013 Aerohive Networks CONFIDENTIAL
413
414
Headquarters
AP-300 series
BR-100 (AP
mode)
Internet
AP-300 series
128 tunnels
VPN Gateway Virtual
Appliance
(L2 Gateway mode)
1024 tunnels
Notes Below
416
Headquarters
BR-200 router
Layer 3 VPN
server
Internet
VPN Gateway
(L3 Gateway mode)
1024 tunnels
AP 330/350
(router mode)
Aerohive
switch
(router mode)
2013 Aerohive Networks CONFIDENTIAL
Notes Below
417
VPN Gateway VA
A HiveOS-based Layer 3
IPSec VPN server
that is a Virtual Appliance BR100
which runs on VMware ESXi
BR200
1 VA supports up to 1024
IPSec VPN tunnels
HiveAP 330
Configured
as a Router
2013 Aerohive Networks CONFIDENTIAL
HiveAP 350
Configured
as a Router
418
Aerohive
Switch
Configure
d
as a
Router
Branch
Networ
k
Branch
Network
172.28.0.0/1
6
Branch
Networ
k
BR10
0
Sub Network 172.28.2.0/24
172.28.2.244
Default Gateway: 172.28.2.1
DNS: 172.28.2.1 (Router is DNS
Proxy)
Branch
BR10
0
BR10
0
Networ
k
Branch
Network
H
Corporat
Q
e
Network
10.1.0.0/ VPN
Gateway
16
Branch
Network
BR10
0
Sub Network
Internet 172.28.2.0/24
Branch
Network
BR10
0
Sub Network
2013 Aerohive Networks CONFIDENTIAL
172.28.0.0/24
BR10
0
Sub Network
172.28.1.0/24
Route-based VPN
Routers (VPN clients) ask the VPN Gateway for updated route
information and provide their own route changes over the VPN
tunnel every minute by default using a TCP request
Corporate
Network
10.1.0.0/1
6
HQ
VPN
Gateway
Route: 10.1.0.0/16 to Corp Router
Route: 172.28.0.0/24 to VPN
tunnel A
Route: 172.28.1.0/24 to VPN
tunnel B
Route: 172.28.2.0/24 to VPN
tunnel C
BR10
Route: 0.0.0.0/0 to Internet
0
Gateway
Tunnel C
BR10
0
Internet
Tunnel A
Local network: 172.28.0.0/24
422
423
424
VPN Gateway
Deployment Scenarios Two
Interfaces
Headquarters
Router
VPN Gateway
Inside
Firewall
DMZ
IPSec VPN
Branch
Office
Internet
LAN (Eth1)WAN (Eth0)
Interface Interface
VPN Gateway with two interfaces configured
The LAN interface is connected to the inside network
Traffic from the inside network destined for an IP address in a branch
office is sent to the LAN interface on the VPN Gateway to be
encrypted and sent through a VPN to a branch office
Routing protocols, OSPF or RIPv2, can be run on the LAN interface so
that the VPN Gateway can exchange routes with the inside network
router
The WAN interface is connected to the DMZ or outside network and is
used
to Networks
terminate
425
2013 Aerohive
CONFIDENTIALthe VPNs
VPN Gateway
Deployment Scenarios One
Interface
Headquarters
Router
VPN Gateway
Inside
(Clear)
Firewall
DMZ
Branch
Office
IPSec VPN
Internet
WAN (Eth0)
Interface
VPN Gateway with one interface configured (One Arm)
The WAN interface is connected to a firewall interface in the DMZ
Traffic from the inside network destined for an IP address in a branch
office is sent to the firewall which forwards the traffic to the VPN
Gateway as the next hop to the branch office routers
The VPN Gateway encrypts the traffic and sends the traffic back to the
firewall destined to a branch office router
You can run statically enter routes, or run a dynamic routing protocol,
OSPF or RIPv2, on the WAN interface to exchange routes with the
firewall
2013 Aerohive Networks CONFIDENTIAL
426
Inside
DMZ
eth0/0 1.2.2.1/24
NAT 1.2.2.X to 10.200.2.X
Branch
Public 2.1.1.10
Office
IPSec VPN
Port1
Internet
WAN Interface
Port2
Eth0- 10.200.2.X/24
Gateway: 10.200.2.1 Bridge Group
Interface: 10.5.1.1
HiveManager
X=2,3,..,14,15
10.5.1.20
Internal
10.102.1.0/24
In the training lab, the VPN Gateways learn routes via OSPF from the
firewall, which are: 10.5.2.0/24, 10.5.8.0/24, & 10.5.10.0/24
The firewall learns the routes from the VPN Gateways to all the branch
office routers via OSPF
The branch office routers exchange their routes with their VPN Gateways
2013 Aerohive Networks CONFIDENTIAL
427
428
429
430
431
432
433
With the
AH_HiveOS.ova file
selected click Next
434
435
436
437
438
439
440
EXAMPLE: INITIAL
CONFIGURATION
OF A VPN GATEWAY VIRTUAL
APPLIANCE
441
442
Type 2 to
Manually
configure
interface
settings and
press Enter
443
444
The VPN Gateway will check its connection its default gateway
and the Aerohive License server
For the question: Do you want to reset the networking? press
enter, or type no and press enter
2013 Aerohive Networks CONFIDENTIAL
445
Optionally
Optionally you
you
can
can use
use an
an HTTP
HTTP
proxy
proxy
2013 Aerohive Networks CONFIDENTIAL
446
447
448
449
450
451
452
Click
Apply
453
455
Headquarters
Branch Office
DMZ
Internet
BR10
0
WAN Interface
Sub
Eth0Firewall Inside Interfaces
Network
10.200.2.X/24
bgroup0 :
10.5.1.1/24 VLAN 1 OSPF 10.102.1.0/
Gateway:
area 0
24
10.200.2.1
bgroup0.2: 10.5.2.1/24 VLAN 2 OSPF
OSPF area
area 0
0.0.0.0
bgroup0.8: 10.5.8.1/24 VLAN 8 OSPF
In as
a one-armed
configuration,
OSPF or RIPv2 can be
(same
0)
area
0
bgroup0.10:
10.5.10.1/24
VLAN 10 OSPF
enabled on the
WAN interface
to dynamically
learn
areanetwork
0
routes from the
(e.g. firewall), and advertise the
456
Internet
BR10
0
WAN Interface
Sub Network
Eth0- 10.200.2.2/24
Firewall Inside Interfaces
10.102.1.0/24
Gateway: 10.200.2.1
bgroup0 :
10.5.1.1/24 VLAN 1 OSPF area
0
Routes
to
OSPF area 0.0.0.0 bgroup0.2: 10.5.2.1/24 VLAN 2 OSPF area 0
Headquarters
(same as 0)
bgroup0.8: 10.5.8.1/24 VLAN 8 OSPF area 0
VPN
Routes - Branch 1 bgroup0.10: 10.5.10.1/24 VLAN 10 OSPFthrough
area
10.5.1.0/24 to
Through VPN:
0
10.102.1.0/24
VPN
Routes to Branch 1
Routes - Network: 10.102.1.0/24
10.5.2.0/24 to
to 10.200.2.2
Note:
uses
Note: Aerohive
Aerohive
uses a
a
10.5.1.0/24 to
VPN
TCP-based
TCP-based mechanism
mechanism
10.200.2.1
10.5.8.0/24 to
through
through the
the VPN
VPN tunnel
tunnel to
to
10.5.2.0/24 to
VPN
check
check for
for route
route updates
updates
10.200.2.1
10.5.10.0/24 to
between
10.5.8.0/24 to
between branch
branch sites
sites and
and
VPN
10.200.2.1
the
the VPN
VPN Gateways
Gateways every
every
Local Routes
10.5.10.0/24 to
minute
by
default.
minute
by
default.
457
2013 Aerohive Networks CONFIDENTIAL
10.200.2.1
0.0.0.0/0 to
458
00
Do not
459
462
Select Update
Devices
Select Perform a
complete
configuration
update for all
selected devices
Click Update
463
Click OK
2013 Aerohive Networks CONFIDENTIAL
464
465
VPN TROUBLESHOOTING
466
467
468
469
Click Tools...
Diagnostics
Show IKE Event
If you see that
phase 1 failed due
to wrong network
settings
Check the IP
settings in the
VPN services
policy
Check the NAT
settings on the
external firewall
2013 Aerohive Networks CONFIDENTIAL
470
471
472
Please
Please Be
Be
Patient,
Patient, it
it will
will
take
take a
a minute
minute
or
or two
two for
for the
the
VPNs
VPNs to
to
establish
establish
473
474
To verify the
routes learned
via OSPF
Go to
Monitor
VPN Gateways
Check the box
next to your
HiveOS-VAXX
Select
Utilities...
SSH Client
475
476
477
Copyright 2011
479
480
Single-click the
wireless icon on
the bottom right
corner of the
windows task bar
Click your SSID
Class-PSK-X
Click Connect
Security Key:
aerohive123
Click OK
2013 Aerohive Networks CONFIDENTIAL
481
Headquarters
Branch Office 1
VPN Gateway
DMZ
IPSec VPN to Branch Office 1
Internet
BR10
0
482
483
POLICY-BASED ROUTING
(PBR)
484
*A low cost
American
beer that has
been
around a
long time,
but was not
popular.
However,
over the last
few years it
has become
more popular
in bars and
VPN
HQ
Internet
3G/4G/LTE
3G
/4
G
LT
E
E
Po
Guests
Policy-based routing is
used mainly in
conjunction with the
layer 3 IPSec VPN
tunneling capabilities
Though it does not
require VPN
Employees
485
VPN
HQ
Internet
3G/4G/LTE
3G
/4
G
LT
E
E
Po
Employees
Guests
Policy-based routing
lets you decide how
traffic is forwarded
out of a router
Decisions are made
based on IP
reachability of
tracked IP addresses
and user profiles
Forwarding can be
out any WAN port,
USB wireless, Wi-Fi
connection, or VPN
486
Route-based VPN
Private vs. Internet Traffic
H
Q
Internet
Branch Office
Corporate
Network
Tunnel A
BR10
0
10.1.0.0/1
Cloud
6
(Internal) VPN
Gateway to Corp
Route: 10.1.0.0/16
Local network: 172.28.2.0/24
Router
Route: 10.1.0.0/16 through
Route 172.28.2.0/24 to VPN
VPN tunnel
Tunnel A
Route: office
0.0.0.0/0
Route:
Three0.0.0.0/0
types of
routes in a branch
areto Internet
to Internet
Gateway
Gateway
Private routes learned over the VPN from the
POLICY-BASED ROUTING
488
Source and
Destination are used
to match a packet
Forwarding actions
determine where to
send the packet
489
490
491
VPN
HQ
Internet
3G/4G LTE
ntp1.aerohive.com
206.80.44.205
Track IP
3G
/4
G
LT
E
E
Po
Guests
If no response is
received, you can
make routing
decisions such as
failing over to wireless
USB (3G/4G LTE)
Employees
2013 Aerohive Networks CONFIDENTIAL
492
493
Expand Service
Settings
For Track IP
Groups for WAN
Interface, there
are two backup
track IP groups and
one primary
Next to Primary,
click +
2013 Aerohive Networks CONFIDENTIAL
494
495
496
497
Expand Router
Settings
Next to Routing
Policy, click +
2013 Aerohive Networks CONFIDENTIAL
498
499
Create
New
Name: PBR-X
Under Routing Policies, select Custom
Click + to add a new policy
2013 Aerohive Networks CONFIDENTIAL
500
501
502
503
504
Click
Click the
the top
top ++
505
506
507
Policy-Based Routing
Analysis
508
Policy-Based Routing
Analysis
509
Policy-Based Routing
Policy Used For No Matching
Routes
510
Policy-Based Routing
Caution in 6.0r2a if not using VPN
If you are not using VPN, do not create a policybased routing using: Source: Any, Destination: Any
If you do, traffic may get sent back out the WAN as
primary instead instead of being sent to a local
route.
2013 Aerohive Networks CONFIDENTIAL
511
POLICY-BASED ROUTING
SIMPLE TEST
512
513
POLICY-BASED ROUTING
DEFAULT SPLIT TUNNEL
Use if you do not want to create a custom policy and
you have VPN configured
514
515
516
517
518
519
COOKIE-CUTTER VPN
520
Branch 1:
10.1.1.0/24
Branch 2:
10.1.1.0/24
Branch
3:
521
Branch 1:
10.1.1.0/24
Branch 2:
10.1.1.0/24
Branch
3:
522
Tunnel Routes
10.102.1.0/24 tunnel
1
10.102.2.0/24 tunnel
2
10.102.3.0/24 tunnel
3 The branch routers
Corporat
e
Network
10.0.0.0/
Branch 1: NAT 10.102.0.0/24 to
8
NAT subnets are unique subnets
10.1.1.0/24
per site (non cookie-cutter), and
which NATs:
can be mapped to sites
10.102.1.1 to 10.1.1.1
dynamically, or via device
10.102.1.2 to 10.1.1.2
classification
..
10.102.1.255 to 10.1.1.255
Each NAT IP address can be
access from corporate through
Branch 2: NAT 10.102.2.0/24 to
the VPN
10.1.1.0/24
Each NAT mapping is
which NATs:
bidirectional, so traffic to HQ
10.102.2.1 to 10.1.1.1
will be sourced from each NAT
10.102.2.2 to 10.1.1.2
address
..
2013 Aerohive Networks CONFIDENTIAL
10.102.2.255 to 10.1.1.255
526
527
DNS Service,
select the quick
start
automatically
generated object:
Class
NOTE:
NOTE: This
This Quick
Quick Start
Start DNS
DNS Service
Service
Network Type:
object
object sets
sets clients
clients to
to use
use the
the router
router
Internal Use
interface
interface IP
IP as
as the
the DNS
DNS server,
server, and
and will
will
proxy
proxy the
the DNS
DNS requests
requests to
to the
the DNS
DNS server
server Under
learned
learned statically
statically or
or by
by DHCP
DHCP on
on the
the WAN
WAN
subnetworks click
interface
interface
New
2013 Aerohive Networks CONFIDENTIAL
528
530
531
Copyright 2011
Check Allocate
NAT subnetworks by
specific IP addresses
at sites
Click New
IP Address:
1.1XX.1.1
Type: Device Tags
Value: Site-Xa
(Your
Switch)
NOTE: Any device tag you have defined elsewhere is automatically
Clickpopulated.
Apply You can also start typing to narrow the value list
With these settings, each site will get assigned to one of the /24 NAT
subnets in 1.1XX.0.0/16. Entering a single IP address locks the NAT IP
address and the NAT subnet to which it belongs to a specific site.
532
Copyright 2011
Verify your
settings
Click Save
533
Click
Save
2013 Aerohive Networks CONFIDENTIAL
Click OK
534
535
PERFORM A COMPLETE
UPLOAD
536
537
Select Update
Devices
Select Perform a
complete
configuration
update for all
selected devices
Click Update
538
Click OK
2013 Aerohive Networks CONFIDENTIAL
539
540
Tunnel Routes
10.102.1.0/24 tunnel
1
10.102.2.0/24 tunnel
2
10.102.3.0/24 tunnel
3 The branch routers
Note: One subnet was assigned via classification. The others assigned
dynamically.
2013 Aerohive Networks CONFIDENTIAL
542
543
From
ConfigurationRouters,
check the box next to your
simulated devices that
start with: SR-02-SIMUXXXXXX
Warning: Do NOT remove
the real router
Click Device Inventory
and click Remove
Click Remove from the
warning popup
2013 Aerohive Networks CONFIDENTIAL
544
545
VPN Gateway 2
LAN 1: 10.1.102.2/24
Protocol OSPF area 0.0.0.2
Inside
Internal
Network
AD Server
10.5.1.10
2013 Aerohive Networks CONFIDENTIAL
Branch
Tunnel 1 to 209.128.76.28
pref
Office
1
Tunnel 2 to 209.128.76.29 pref
2
VLAN 10 10.1.1.0/24
Employee Net
One-to-One 546
Subnet NAT
Firewall
FW eth0/0 209.128.76.30
NAT 209.128.76.28 to
10.1.101.2
NAT 209.128.76.29 to
10.1.102.2
VPN Gateways
FW eth0/1.1 - 10.1.101.1/24 vlan
VPN Gateway 1
eth 0
101
LAN 1: 10.1.101.2/24
Protocol OSPF area 0.0.0.1
Protocol OSPF area 0.0.0.1
FW eth0/1.2 - 10.1.102.1/24 vlan
eth0/0
102 DMZeth0/1
VPN Gateway 2
VLAN Protocol OSPF area 0.0.0.2
LAN 1: 10.1.102.2/24
eth 0
802.1Q
VLAN 101
Protocol OSPF
eth0/2 cost 1000
Protocol OSPF area 0.0.0.2
102
Inside
Internal
FW eth0/2 10.5.1.1/24
Network
Protocol OSPF area 0.0.0.0
AD Server
10.5.1.10
VPN tunnels are built from branch offices to the VPN gateways
Traffic from the branch offices is decrypted at the VPN gateways and sent to
the DMZ firewall for access to the Internet network
Traffic destined to IP addresses at branch offices is sent to the firewall,
which looks up the IP and finds the route to VPN gateway which encrypts
and
sends
through
a tunnel to a branch office
547
2013
Aerohive Networks
CONFIDENTIAL
Tunnel Routes
10.102.1.0/24
tunnel 1
10.102.2.0/24
tunnel 2
Branch 1:
NAT 10.102.1.0/24 to
10.1.1.0/24
Branch 2:
NAT 10.102.1.0/24 to
10.1.1.0/24
549
550
551
552
553
Two new
certificates
were created
for this lab,
you can use
those or the
defaults if the
root CA did
not change
Click Save
554
555
557
558
Select Update
Devices
Select Perform a
complete
configuration
update for all
selected devices
Click Update
559
560
561
562
563
BRANCH ROUTER
WAN INTERFACE
NAT PORT FORWARDING
564
PoE
AP
AP
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
Monitor Routers
Select your Router
Click on Utilities SSH Client
Click on Connect
Type: show ip iptables nat
2013 Aerohive Networks CONFIDENTIAL
580
581
582
interface
mgt0
172.18.0.1/24
BR20
VLAN 1
0
Mesh
Po
E
Ca
ble
sh
e
M
AP
interface
mgt0
172.18.0.2/24
VLAN 1
interface
mgt0
172.18.0.3/24
AP
VLAN 1
583
Ethernet Switch
Ports Eth1 Eth4
Layer 2
Logical IP
Interfaces
Router WAN
Port
mgt0 (Management) Eth0
172.18.0.1/24
192.168.1.10/24
Assigned to VLANs and VLAN 1
No VLAN
Networks by LAN
mgt0.1
Profiles
10.102.0.1/24
VLAN 102 - Employee
May be 802.1Q VLAN
Trunk ports or access mgt0.2
172.16.102.1/24
ports
VLAN 202 -Guest
Interfaces
Interfaces mgt0.1
mgt0.1 through
through mgt0.16
mgt0.16 may
may be
be created,
created,
each
each supporting
supporting routing
routing for
for aa different
different IP
IP network.
network.
2013 Aerohive Networks CONFIDENTIAL
586
587
AP
Logical IP
Interfaces
mgt0 (Management)
172.18.0.1/24
VLAN 1
mgt0.1
10.102.0.1/24
Employee - VLAN 10
mgt0.2
10.202.0.1/24
Voice VLAN 2
mgt0.3
192.168.83.1/24
Guest - VLAN 8
mgt0.4
172.28.0.1/25
VLAN
1Aerohive
(Native)
2013
Networks CONFIDENTIAL
802.1Q
VLAN
Trunk
VLANs:
1
(Native),
2, 8, 10
Note:
Note: You
You should
should
define
define aa native
native network
network
using
using VLAN
VLAN 1,
1, which
which
much
much match
match the
the native
native
VLAN
VLAN configured
configured for
for the
the
management
management interface,
interface,
which
which by
by default
default is
is 1.
1.
Logical IP Interface
mgt0 (Management)
172.18.0.1/24
VLAN 1
Layer 2 Interfaces
VLAN 1 (Native)
SSID: Class-PSK
Employee - VLAN 10
SSID: Class-Voice
Voice VLAN 2
SSID: Class-Guest
Guest VLAN 8
588
589
Router Firewall
General Guidelines
Router firewall is not the same firewall used in User
Profiles for Aerohive access points
Firewall rules are applied in the branch router for both
wireless and wired traffic
AP firewall can still be used for wireless clients is so
desired
L7 notInternet
yet supported
infirewall
the router
firewall
Router
for wired
and
wireless traffic
Branch Router
Po
E
AP
590
Router Firewall
General Guidelines
Rules are processed top down and the first matching
rule is used
After a rule is matched a stateful session is created
using:
Source IP, Destination IP, IP Protocol, Source Port,
Destination Port
The reverse session is also created for return traffic
More than just an IP firewall, the router firewall can look
at:
Traffic Source:
IP Network, IP Range, Network Object,
User Profile, VPN, or IP Wildcard
Traffic Destination:
2013 Aerohive Networks CONFIDENTIAL
591
Inside
Internet
10.5.1.102
Firewall Policies:
Default Action: Deny
72.20.106.66
HTTP Initiated from inside the Network to a web server on the Internet
Source IP, Dest IP,
Proto, Source Port, Dest Port, Data
10.5.1.102 72.20.106.66 6(TCP) 3456
80
HTTP Get
592
To implement a
router firewall
In your network
policy, next to
Router Firewall,
click Choose
In Choose
Firewall click
New
593
594
Logging: Disable
595
596
597
Select the radio button for the Default Rule to Deny all
Note: This is not needed, but it is a good general practice.
This policy denies access to any private IP address through the router, and
allows everything else
Also, you can drag and drop the rules to change their order
Click Save
2013 Aerohive Networks CONFIDENTIAL
598
599
HQ
VPN
Gateway
Route: 10.1.0.0/16 to Corp Router
Route: 172.28.0.0/24 to VPN
tunnel A
Route: 172.28.1.0/24 to VPN
tunnel B
Route: 172.28.2.0/24 to VPN
tunnel C
BR10
Route: 0.0.0.0/0 to Internet
0
Gateway
Tunnel C
BR10
0
Internet
Tunnel A
Local network: 172.28.0.0/24
Routers (VPN clients) ask the VPN Gateway for updated route
information and provide their own route changes over the VPN
tunnel every minute by default using a TCP request
Corporate
Network
10.1.0.0/1
6
HQ
VPN
Gateway
Route: 10.1.0.0/16 to Corp Router
Route: 172.28.0.0/24 to VPN
tunnel A
Route: 172.28.1.0/24 to VPN
tunnel B
Route: 172.28.2.0/24 to VPN
tunnel C
BR10
Route: 0.0.0.0/0 to Internet
0
Gateway
Tunnel C
BR10
0
Internet
Tunnel A
Local network: 172.28.0.0/24
602
Aerohive BR
confirms traffic is
not destined for
resources across the
tunnel and is not
whitelisted as
trusted
Traffic is
forwarded with
4 client identity to
the cloud security
partner and
processed based
on identity
Aerohive BR checks
if client network is
configured to use
web security
Client makes a
HTTP/HTTP
request
607
608
609
610
611
612
613
614
Class Switch
BR100
615
BR100
616
617
618
619
MISC
620
621
622